>basic opsec required to protect their private key without losing it.

Exactly. I've long wondered if there's any way to overcome this without essentially going back to a 'trusted broker/custodian' model