yeah, clients could just not show DMs they can't decrypt.

Generally, nostr clients need to be way more defensive when accepting events.

NDK has pluggable validation methods that make it so that clients don't even see events that don't conform to whatever standard they choose for this reason.

nostr:note1k5ghx3ehxj6825tj4emzggqrc5vgp23ahn2myj7ughplcn9t9f2q22cflv