Common argument for "export private key", but it's actually an argument against. If an app can show you your private key, it means they can show themselves too. So... yeah... they've got your keys and there's nothing you can do about it

DX Engineer | Head of Developer Relations at /pinata | Building orbiter.host | stevedylan.dev/links | opinions are my own

I know but you gave me bait to rant with. I can't resist

Unfortunately its not how the sharded key thing works. The private key can be reassembled remotely and captured by Privy (the wallet provider here). It is safe from the app developer (Warpcast in this case), assuming Privy doesn't give them some sort of backdoor access.

You could design a system that works this way using IPFS but you move the ability for recovery unless you use ZK and/or TEEs

This was indeed my plan all along lol

Devils advocate: What if the exporting of a private key is simply using the user's hashed password to unlock a local encrypted file? Similar to Foundry's cast keystores? Afaik the warpcast export is a sharded key taking a similar approach that's unlocked using the user's custody keypair