It did happen a lot back when Anigma was still a thing and XSS injection was possible and the nsec was saved in the browser. More recently the problem is that devs don't check the libraries they are using and don't know what the library is doing. It wouldnt be very difficult to find a dev using a library that was intentionally designed to steal the nsec. The other problem is that nsec wouldn't have to be used right away. Attackers can steal the naec and wait for when the account is large and with influence to sell or use it somehow. Couple that with the fact that separate relays can have different things, it is possible for an attacker to use your nsec in just one relay and all users of that relay can fall into giving the attacker's money thinking it was you. And you won't even noticed what is happening if you don't use that relay. You would swear your key is safe while attackers are running wild with it. Also, they can post in the past and future as you to build reputation for other things/keys since no one is checking if you actually wrote your past posts anyway.