Just want to note one other suggestion that I’ve received:
Instead of signing over the calldata,
mingas,value, etc. only sign overkeccak256(type || abi.encode(invoker, chainid, nextra))
This has a certain elegance to it, and since you already have to trust the invoker for replay protection, why not trust it for everything?
This would allow multiple calls with different calldata (ex. approving the Uniswap Router, then performing a swap, and finally doing the sponsee’s transaction) with a single signature.
The downside is that a broken/vulnerable/malicious invoker can have nearly total control over an EOA, and writing a safe invoker will take a significant amount of care.
(Thanks to @adietrichs and Chris Buckland for independently suggesting this change.)