Separate into 2 types of apps: "sign in with nostr", and "link nostr account". One type of app actually constructs notes on your behalf, the other only links to your identity. Ideally neither ever sees your nsec. Your nsec only exists in a single signer app. The link nostr types will only ever verify your identity. Things like a video game, just lets you dox yourself similar to how games get you to link your twitch account. These will request a signature from your signer app only to verify that you actually own the npub you entered. The other type of app is various nostr clients. Those will send requests to your signer app every time they wanna create a note. Your signer app will have basic permission settings for every app similar to your phone's. First time on an app it will ask if you want it to sign notes from that app, either "always", "ask every time" or "never". You will also be able to grant permissions for which kinds they can sign. For example, you wanna try a new shitposting meme app so you give it permission to sign kind 20 (picture-first) notes automatically, but that app will never be able to change your kind 0 (profile info).