calvinmorrison parent
Use a pass phrase!
I do. Most probably they do too, but since any running apps can access the user’s private keys, the whole security depends on the strength of the passphrase that can be brute forced offline?
Passphrases protect against silent key exfiltration. Make them long enough (six or seven words these days, I think?) and they won't be cracked in your life time unless the quantum people figure their stuff out or you become a vampire.
If you're trying to protect against running programs, you also need to protect against key loggers. Using hardware-backed keys and systems like Windows Hello for validation can help with that, as their UI is not easily interceptable.
In the end, there's no perfect way to protect your keys if you have a virus running on your computer.
Don't run apps you don't trust outside of a container. If there is malware on your system, your SSH keys are only one of your many troubles.
What are apps you do trust?
Use a long one.