The nsec lives in the nsecbunker (on a server somewhere). So whenever an event needs to be signed, the raw event is sent as a payload to the bunker where it is signed and returned.

so, if i sign in with flare, then oauth to coracle, how much information does flare get about where and what i'm requesting to be done indirectly via the bunker? it is convenient, sure, but it seems like a honeypot of data for the sites you use as intermediaries i think using legacy second party authentication for this is a bad security decision