Ideally, one would generate a master private key in a cold wallet and then use that one to sign subkeys that could ne used from a browser extension and with a limited validity period. If compromised, just sign a revokal and a new subkey with the master one.

Does something like this exist? In PGP there's something like that.