Signing a message is pretty much like signing a transaction. The only difference is that the digest is computed by hashing the message string (after prepending a fixed value to the start of it) instead of the transaction. Hash algorithm and ECDSA and subsequently the ephemeral key (k) selection are all the same.

So if the software that is used for signing transactions (sending bitcoin) is secure, the result for message signing should be safe as well. Otherwise singing a transaction would also put you at risk of leaking your key.
And like always use popular open source software that is extensively reviewed and is bug free.