> [...] The other domains could always make it not use Github and re-prompt your nsec [...]
I'm sure you know it but just to make it clear for future readers, the browser automatically isolates passkey storage (and storage in general) by domain. If 44billion.net changes the login iframe to a malicious url, the nsecs won't be there. Nothing bad happens per se.