There needs to be some way that you can have a Nostr key that never touches the internet or touches something that touches the internet. Somewhat like cold storage. If my Twitter account gets compromised, theres a process (awful, but its there), to get my account back. There's nothing like that with Nostr, once that private key gets compromised its over. Alby is good, but its a bandaid.

I don't know how you fix that without a protocol change. I suppose you could come up with some novel approach in a NIP, but you'd need every client to adopt it or I suspect your posts won't appear in older clients. 

 I see what you mean now. 

I don't understand qhy we don't just use some kind of waterfall HD keys like in bitcoin. 

Master nsec--> derive multiple nsec 

When you see a key with a higher derivation number you consider all previous keys compromised and mark the messages with those keys as compromised.