Something that concerns me about the fc signer architecture is how it increases the attack surface area for your account the more apps you allow to sign on your behalf

This limits the propensity for users to try new apps especially if they have a large audience

Solutions: portable signers? Permissions? Sessions?

cypherpunk wannabe, engineer working on @frames /open-frames /opencast
https://stephancill.co.za

Rough idea, may not be feasible: Right now, a signer can either be approved or removed. There could be an intermediate state, something like "stoped".
If a signer is stoped:
- New messages signed with it are not valid (but old ones are not pruned)
- It can only be removed (not approved again).

Dad, geek, conversation liquidity provider. vrypan.net (home), /weatherxm (work), @l--o--l (fun). Also https://paragraph.xyz/@purplesubmarine

There are many implications when messing with signers, and a lot of thought has to be put in it. 
But maybe it can be implemented without smart contract changes. A message to stop a signer must be signed by the signer itself.

I like this and it would solve the confusion related to messages being pruned after deleting a signer

Point of clarification here, did you mean "stopped", like "stop", as in "not moving anymore", or did you really mean "stope", like carving out something with multiple layers?