People always say that but it also seems reasonable to expect an app not to send the nsec anywhere. It's not like it was hacked. A signer app may separate concerns but it's still more code to audit.