A new private key is generates for each site, and only that site has the corresponding public key, and the domain name is checked, so malicious.com can't leak the private key for example.com.