Sure, I will agree, for technically savvy users -- developers, etc., that a private key might be a better approach. The issue is Normies -- people who have never touched a private key, and don't really even have "a place to put it". The issue isn't just "security" -- the real issue is "I have this account with sats somewhere and I can't remember what the website is called or how I get back to it or what my password is." This is EXTREMELY common. Everyone knows the solution to this is to search their email for the right keyword and BAM -- there is the confirmation email from the service. Then you go to the service, do a "password reset" -- and you are back in. If the user has not enabled 2FA, then you are completely right, a user can be hacked by someone gaining control of their email. But I submit to you that this is not the usual problem. The usual problem is "how do i get back to the website where my sats are stored, I can't even remember the name of it." I expect that 75% of Nostr developers and Linux users will vehemently disagree with me on this issue.

The other issue is this -- I am technically savvy, and when I FIRST joined Nostr, I mistakenly set up multiple separate private keys on different apps, and got fully confused, and then had to start over again. If I had started my journey by ALSO locking my satoshis to the first private key I ever generated... I would have been very sad.

Fair