This would allow the delegate to create a real signature as if they had the actual nsec based on some constraints. So somthing like x key can generate valid signatures for kind 1's with created_at < Y. And that would create valid signatures, clients would just verify them as any other note and you would have no idea that it was created via one of these delegate keys.