In the eosjs docs (https://developers.eos.io/manuals/eosjs/latest/faq/what-is-a-signature-provider) it's said that JsSignatureProvider is insecure. Why exactly it's insecure? I'm kinda new and would like to use it in my backend pet project. I feel like if I'm gonna write my own signature provider I would just reinvent eosjs JsSignatureProvider.
The main reason why JsSignatureProvider
is insecure is that the constructor takes the private keys directly to perform the signing (which can be exposed to potential attack vectors, i.e., malicious extensions, etc.).
A more secure way may be to route the signing requests to a secure enclave without exposing the private keys, perform the signing there, and get back the signature.