Really great question! Tl;dr - MetaMask and other software and hardware wallets never expose your private key to any app or website. ​ Exactly as you said - the React app/any app will create a message and pass that along to the MetaMask extension where MetaMask will sign it in its own sandboxed environment, and then pass back the signature only. ​ This is, incidentally, exactly how hardware wallets also sign messages while keeping your private key super secure and safe on the hardware wallet, never touching your computer/phone or any other device that's ever directly connected to the internet. ​ The private key never leaves the hardware wallet, which is then effectively airgapped from any device that's connected to the internet (which would cause a wallet to become 'hot'). When you need to sign a transaction or message, you connect your hardware wallet to your computer or phone, and the computer/phone sends the transaction data along to the hardware wallet, then the hardware wallet prompts you to confirm the transaction, and if you confirm it, it will sign the transaction, and then send only the signature back to the computer/phone. ​ That allows you to effectively use your hardware wallet to interact with dapps and sign transactions on a regular basis while never exposing your private key to anyone - not even your computer! ​ MetaMask and other software wallets are still inherently more vulnerable because the private key is still stored on your computer itself, though MetaMask of course does its best effort to prevent anyone from accessing it. To be totally honest - I've never really heard of a practical case where MetaMask itself was compromised in a way such that it exposed its stored private key to anyone - almost every instance where a private key was exposed was either because a user stored the private key/seed phrase in a document (typically unencrypted) on their computer/phone somewhere and their computer was compromised with malware, or because they themselves entered the private key/seed phrase into a phishing website or something similar. ​ Great question - hope that helps!