Merchants that accept Bitcoin payments don’t need to have their private keys available on the web server.
Could the same concept be applied for hosting a website with ipfs?
So both adding content and publishing an address on ipns will be done in a secure environment, and the server (the ipfs node) just has public keys.
Will this work?
If you have the hash of the content, (even the pub keys of IPNS) you don’t need any private key in IPFS to store and distribute content.
Said that, I am not sure if “broadcasting” IPNS even if you don’t have the IPNS private is there as a feature. Do we have this possibility? (To re-broadcast a “signed” message saying what IPNS hash is pointing to what object/file hash). I am curious as well!
I guess this broadcasting (publishing) the renewed value that the IPNS address points to can also be done on deploy time, so in the same environment as where content is added to a node.
That should work I think? Feels safer than having nodes running with the secret keys on disk.
It would be better to integrate with hardware wallets like Trezor (Mostly cryptos).
This would probably skip all the steps related to having a local node in a protected LAN. (or an offline node)
The server? You mean the IPFS gateway?
Feels like security theatre. If they have some zero-day for IPFS they can just use it twice, first once to compromise the public server and then once to compromise the private server.
No the server where the node runs on. Like a VPS. That kind of server 
Well, hiding the private key doesn’t solve all security problems, but it does help I guess?
Any HTTP server has the SSL certificate on disk, that doesn’t cause security problems. It won’t do any harm, but the security increase is negligible. If you’re running compromised software you have bigger problems to worry about, if you’re not then you’re safe anyway.