Your private keys are mathematically combined and shared between the Smart-ID app, which is installed in your mobile device, and the Smart-ID server. The share inside the Smart-ID app is protected with your PIN and the share inside the Smart-ID server is protected with the HSM (hardware security module). Clever cryptographic methods are used to ensure that one cannot create digital signatures with just a single share of your private key and that in order to produce a digital signature, the individual shares are never mathematically combined in a single place. So the Smart-ID app alone cannot produce a valid signature and the Smart-ID server alone cannot produce a valid signature either.
This means that an attacker who would like to create fake digital signatures needs to break the security of both shares of your private keys. We are confident that this provides a very high level of protection.