All secrets on the Nitrokey 3 are kept on the SE050, which does, as of our knowledge today, a very good job in keeping them safe. This is only partly true for FIDO2 NFC functionality, which has it's secrets inside the internal flash. But the internal flash in encrypted thus reducing the attack vectors here, although there are also some power-supply-glitch based attacks for the nRF family. On the long run we will check if it is feasible to mitigate these attacks further by putting all (also the FIDO2) secrets into the SE050. As of today, the drawback with this approach would be that NFC would not work anymore, so if this will be implemented at some point, this will only be an option.