Sigbash is a multisig key agent that hands out blinded xpubs - an xpub is sent to the user's browser, random values are generated using the WebCrypto API to create a new child xpub with a new derivation path. The key agent doesn't asee this new child key - so from key generation all the way to PSBT signing the agent doesn't actually know anything about what the key is protecting

GPG contracts (https://nakamotoinstitute.org/mempool/gpg-contracts) are used to keep the key agent honest

Since there's no human in the loop you can attach different signing conditions to an xpub - e.g. "only sign if this Bitcoin address has a balance higher than XXX satoshis" or "only sign after this block height AND if the BTC/USD exchange rate is higher than XXX"