A user who is worried about theft of their private key could put a long [0] passphrase on it, but alas, the service provider who supports key auth can't enforce that keys be passphrase-protected [1]. A user who does this is effectively creating a 2FA requirement for their account. But to your second point, the onus is on the user which isn't ideal.