that basically says the user is a security vulnerability or we have a too complicated system where users need to sign events that they don't understand? :) (at the same time users complain they get asked too much) and any signing prompt is imo better than handing over the private key. generally the user needs a bit of trust in the webapp. otherwise signing something is never a good idea imo. I think there is a signPsbt function.