this is nostr's greatest weakness. I suspect we will have something like one key per app you use, and you simply broadcast all of the keys associated with your account. this way you don't need to copy your nsec everywhere. I think all other solutions are just way too complicated. having a single key is a huge weakness, and I've never had a really good answer to this question.

maybe the identity key is never used for decrypting any secret stuff just in case, and we use device keys for encrypted content.

maybe we eventually switch to frost-based keys for multisig.

maybe we just have a key-rotation spec for when your key leaks. this spec is already mostly done as of a recent in person nostr dev meeting. the problem is getting everyone to adopt it which will take a long time for each app to implement this logic.

for now we out here yoloing keys into apps or using bunker/remote signing. don't put money in your keys 😅