I've taken a personal interest in solving this too

Key management is a big problem with just about everything, that's one of the biggest grievances new Bitcoin users too... I often use the example of grizzled old *nix admins still fumbling with SSH keys for decades now with no great alternatives

Browser extensions for Nostr are a terrible solution too, they generally give the publisher access to your full browser storage across every domain, and they don't even work on mobile where they're needed most.

As bad as the products are, Bitcoin hardware wallets are at least directionally correct in separating signing keys from connected devices... but Nostr itself is an inherently online thing so that's not a solution either.

NsecBunker got the right idea generally, I just don't like the unscalable implementation with NIP46, so am working on something more robust.

The idea being OAuth-like, apps connect to a remote-signer over a tunnel with revocable tokens and a permission set. The signer can then be a daemon hosted anywhere like a hardened VPS or an Umbrel/Start9.

Solving it in this way also opens the door to high profile Nostr accounts, managed by social media teams or automation etc, where the proprietor doesn't have to give up the key to an intern.