At this site you can see which authorities people use on a given account: https://www.steemfiles.com/@leprechaun/permissions
So 'ecency.app' does have posting authority for 'leprechaun'. I don't really want to keep the active key on a device I carry around. And I think you agree that you should be able to do posting level operations options with Ecency with the posting key and I know I wont be able to do active level operations in the wallet section. I don't want anyone who has my phone to be able to do that.
I think this is the current reality of the situation: You need active keys to login to Ecency on mobile or desktop. The problem might require radical changes to the source code because of its reliance to Hive-Signer in the login process, unfortunately.
Hivesigner's role is to secure our private api via access token, so there should be simpler logical distinction, not radical changes to source code though. We can gradually improve that logic for sure. Please create issue to relevant source code, if you want to discuss further and easier to keep reference of issues and potential solution ideas on github. For mobile app side, issue created, referenced in earlier comment.