Comment by Ajedi32

> I don't keep my secrets in system directories

Root of the home directory is also excluded.

But obviously yeah, nothing's going to prevent you from giving a website access to your .ssh directory if you explicitly select it.

Personally I don't have a problem with that. The ability to upload files has been a thing on the web for forever and I don't think there's ever been anything that stopped users from uploading their private key. Possibly some users have gotten phished that way, but at a certain point you have to accept responsibility for your own actions, otherwise you start ceding control of your life to a corporate nanny state.