Is this something that has happened to you before? I have not heard of any VPN even having the ability to steal your nsec, let alone actually doing so. However, I would assume they could see any unencrypted data sent through their servers.

You will always be safest using a signing app that is local on your device, so that your nsec itself is not being sent anywhere, only the signed events you are posting.