I can understand that, and I also store my private key on it. The question is what the threat model is.

If we want to protect the users from somebody sitting in front of the computer wanting to steal my private/master keys, then it would be enough to ask for password when the private key is displayed.

If we want to protect the bitcoins held in the wallet, so the website cannot programatically steal them, the password should be asked before accessing the wallet. I agree that it's important to protect the funds with a password.

But I don't agree protecting nostr getPublicKey() with a password has any benefit.

For signing events via the extension, I think it should be possible to turn off password protection. Signing events in my name that I don't want to sign is something that the password won't protect me from, anyway. It's a matter of trust between me and the website. And signing stuff in my name is not particularly a high reward attack.

The only kind of attack password protection is effective is against browser bugs where sandbox can be broken out from. This is very rare and usually carried out by 3-letter agencies, who can easily crack weak passwords. So to be able to protect against it effectively, you should mandate 16-character password with special characters and numbers in it.

Do you mind sharing the threat model you are protecting me from?

Most users store their Master key or private Nostr key in the Alby Extension and use the password to encrypt and protect them.