It's possible to build a trustless nsecbunker: a bunker where your private key is not held by the online service provider, but by you in your phone.

Just make an app that receives signing requests via Push Notifications. The bunker server then simply reads new NIP-46 request events from the user's relay and Pushes it to the app. The app wakes up, gets the event and presents an approval screen to the user. After approval, the app sends the NIP-46 response to the client.

The entire permission system would run on your phone.

It would be like a 2-step-auth for every signature. Every like would hit the phone for approval.

Maybe greenart7c3 can turn Amber into that.