Is inputing your API key on some random (sorry to the creator) website really a good idea?

In general not, but openai has made a wonderful job of key management with instant revocation,soft and hard limits, and alerts all the way.

I can confidently experiment by generating a new key, and I'll only ever lose a dollar, as my threshold is fairly low and matches the usage in my own projects.

not everyone will do this though. security is meant for the idiot users

It's not. Eventually we'll have OAuth and that will be the preferred approach.

Curiously, they already have something like that already. If you take a course on deeplearning.ai (I tried ChatGPT Prompt Engineering for Developers), you can run a notebook that accesses OpenAI API. If you look closely, you'll notice they authenticate not with an API key but with a temporary JWT token that gets handed to you when you start a lesson. I don't know how they do it, but it's certaily possible.

Another approach would be to let players host their own instance to keep their API key private. I'm available to test this out if any of the developers are interested.