Sure, I will agree, for technically savvy users -- developers, etc., that a private key might be a better approach. The issue is Normies -- people who have never touched a private key, and don't really even have "a place to put it". The issue isn't just "security" -- the real issue is "I have this account with sats somewhere and I can't remember what the website is called or how I get back to it or what my password is." This is EXTREMELY common. Everyone knows the solution to this is to search their email for the right keyword and BAM -- there is the confirmation email from the service. Then you go to the service, do a "password reset" -- and you are back in. If the user has not enabled 2FA, then you are completely right, a user can be hacked by someone gaining control of their email. But I submit to you that this is not the usual problem. The usual problem is "how do i get back to the website where my sats are stored, I can't even remember the name of it." I expect that 75% of Nostr developers and Linux users will vehemently disagree with me on this issue.