[dcolkitt]

All connecting a wallet does is allow the app to see your public keys. Private keys are not directly exposed. The app can then request the user sign transactions, but they must be explicitly approved by the user.

Where fraud typically happens is when a user thinks they're signing an innocuous transaction, when in fact they're signing a malicious one. This is generally a hard problem, but it's very clear from the wallet the address of the smart contract your transaction interacts with.

[Barrera]

Where do the private keys reside in this scenario?

[cdiddy2]

Depends on the type of wallet. If its a web wallet the keys are in the browsers data store that the wallet extension handles. The keys could also be on a separate hardware wallet that is completely separate from the computer you interact with and requires physical button presses on the hardware device. Could also be that you are in a view only mode and just connecting with an address and you don't even have the keys on you.

[3np]

Most common three subscenarios: A hardware wallet connected by USB/Bluetooth; locally on disk/memory; in a third-party application.

Only on the second case does the browser extension handle primitives like private keys and in no scenario do they get exposed to a site.

The more common crypto-thefts are phishing (user gives away their recovery phrase) or malware (scanning for on-device keys and recovery phrases).