Signing stuff on Nostr can be done a few different ways. Remote signing is one of them. Signer extensions are another.
Here's a basic rundown.
Bare Nsec Signing - This is when you give the Nostr client (YakiHonne, Damus, Primal, etc.) your nsec directly, so the client itself can sign anything it needs to (or wants to) with or without your express permission. This is dangerous, because the more apps you hand your nsec out to, the more likely that it could end up compromised. This could happen due to giving your nsec to a malicious application, or just due to a completely unintentional bug in the client's code. Don't give Nostr clients your nsec if you can at all avoid it.
Browser Extension Signers - This signing method is detailed in NIP-07, and it is a standard signing method for almost ALL Nostr web clients. That is, clients you access via your web browser. Using this method, your nsec is stored locally on your device, and the Nostr web client sends signing requests to the extension, which uses your nsec to sign those requests, but that signing operation is all happening locally on the device you are using. This is much better than giving a Nostr client your bare nsec, since only one application has your private key instead of potentially hundreds. However, it has the downside that it can't really be used with any other Nostr clients except ones you access via your web browser.
On iOS, one app that uses this signing method is @Keychat. I highly recommend it for all of your Nostr web client needs.
Remote Signing/Bunkers - This signing method is detailed in NIP-46, and unlike Browser Extension Signers, it can be used with any type of Nostr client, so long as they have added support for it, both web clients and native apps. It is called "Remote Signing" because the application holding your nsec may or may not be on the same device as the Nostr client you are using, and which is making signing requests to the signer application. The trade-offs of using a remote signer will vary greatly based on which one you use. For instance, if you are using nsec.app, you are entrusting your nsec to a server you don't control and you are trusting the app developer, but if you are using a remote signer running on your own home-server, you have less risk, since you are just having to trust the dev. There are even standalone devices for holding your nsec and signing remotely.
On iOS, you can use Aegis as a "remote signer" application. I put quotes around that, because Aegis still does the signing locally on your device, and you can only really use it with apps you are accessing from the same device Aegis is running on.
Android Signing - This signing method is detailed in NIP-55, and it is only available for Nostr clients on Android. This allows Nostr clients to reach out to another application running on an Android device to request signing. The most common application used for this signing method is Amber. This method is not available on iOS, because it more strictly partitions applications from one another.
Now, these methods of signing are quite a separate matter from backing up your nsec. Though the name "bunker" seems to imply a safe place to store your nsec, that is not really its intended use. It's a way to have only one application that knows your nsec, rather than giving it to every Nostr client you use.
There are a couple different ways to safely store a backup of your nsec. The first is to turn it into a ncryptsec. This is just an encrypted version of your nsec, using a strong password, but then you need to either remember or store that password somewhere, too. The other method is to turn it into a seed phrase, just like a Bitcoin seed phrase. Amber signer can do both of these for you, but it is only on Android... Aegis can create an ncryptsec for you, though, and then you can store that however you like. So long as the password you used is strong enough, you can even store it in a cloud drive without worrying about it, because it's useless without the password used to generate it.
