Recently just published StoicIdentity, a drop-in solution that you can use with the HttpAgent for JS (similar interface to NNS). https://github.com/Toniq-Labs/stoic-identity
In future we will be adding canister scope, so apps have to declare what canister IDs they want to make calls using the users identity. We will also be flagging sensitive canisters (ledger, NNS) and require an additional verification from the user to send calls to those.
API access can be revoked from within NNS, and the bridge only exists on the local machine (so has no exposure remotely). Private keys are never exposed as well. You can use your II through StoicWallet, and have a single identity that can be used through the internet with a persistent public key.