One of my colleagues was asking me a question about this last week. Can all/any applications running on our device read the key? They work on a mac, and wrote a simple python script to confirm. Any program running in the userspace can read the private key file; have the private keys always been not so private all this time?

You can store them in the Secure Enclave on OSX and require TouchID to use the key for signing.

See: https://github.com/maxgoedjen/secretive