Technically, the service owner has access to nsec. CPU, RAM, (if swapped also disk) sees the key. Unless it is a dedicated HSM or something like Enclave (AWS) there is no way around it 🐶🐾🫡
Hmm I wonder if a simple process trace would reveal the key when it's in flight then?
a tool to dump the process memory might 😉
strace 👀