This is all native to nostr. And the trustlessness can come from ppl running their own bunker. If you signup through flare, then you are using flare's nsec bunker, but you can easily create you account on a different bunker provider and use them instead. If you want to run your own, just follow the instructions here: https://github.com/kind-0/nsecbunkerd/tree/master
When you want to sign into your account (the one stored on the bunker) the client is generating a temporary key set and then requesting authorization from your bunker provider to give this temporary key set the permission to sign events. Once approved, any event that you want to sign is wrapped in a wrapper event and broadcasted to the relays. Next, your bunker is listening for events from the whitelisted pubkey, and once it detects the event, it will unwrap the event, sign it, and send it back to the client. Now, the client is able to publish the event signed by the remote nsec.