Technically, the service owner has access to nsec. CPU, RAM, (if swapped also disk) sees the key. Unless it is a dedicated HSM or something like Enclave (AWS) there is no way around it 🐶🐾🫡