Thanks for your support!

Are they stored anywhere, do they leave the browser?

No private key will ever leave the browser or be stored permanently. All transactions are being signed locally within the JavaScript of the page. Once you enter a key it will temporarily be held available on the page (in the DOM) but never be stored anywhere else. Only the signed transaction will be sent to the connected node, so no keys are transferred at any time.

I've planned to add SteemConnect or a more secure (own) solution in future. As SteemConnect stores the private keys on the developers servers, I'm still not really convinced that that is the right way to do it. I think stored keys always should be encrypted and in my own solution I would do exactly that in conjunction with a master password.