Private keys should be in secure hardware. Short of that it's all hand-waving.
That's one benefit that IPSec+IKE has over Wireguard at the moment. With IPSec authentication can occur in userspace and the private key never needs to be exposed to the kernel or to userspace. By the time you implement this for Wireguard, if ever, the Wireguard "stack" (inside the kernel and, hopefully, outside the kernel) code size will have gotten considerably larger.
It's largely theoretical at the moment because few IPSec setups actually make use of this capability. But it will become more common over time.
That's one benefit that IPSec+IKE has over Wireguard at the moment. With IPSec authentication can occur in userspace and the private key never needs to be exposed to the kernel or to userspace. By the time you implement this for Wireguard, if ever, the Wireguard "stack" (inside the kernel and, hopefully, outside the kernel) code size will have gotten considerably larger.
It's largely theoretical at the moment because few IPSec setups actually make use of this capability. But it will become more common over time.