[Barrera]

Where do the private keys reside in this scenario?

[cdiddy2]

Depends on the type of wallet. If its a web wallet the keys are in the browsers data store that the wallet extension handles. The keys could also be on a separate hardware wallet that is completely separate from the computer you interact with and requires physical button presses on the hardware device. Could also be that you are in a view only mode and just connecting with an address and you don't even have the keys on you.

[3np]

Most common three subscenarios: A hardware wallet connected by USB/Bluetooth; locally on disk/memory; in a third-party application.

Only on the second case does the browser extension handle primitives like private keys and in no scenario do they get exposed to a site.

The more common crypto-thefts are phishing (user gives away their recovery phrase) or malware (scanning for on-device keys and recovery phrases).