I mean that if I want to create a relay for some 'curated' set of events then I would just allow only one pubkey to do writes (write anything, not just it's events), and let everyone else read. Curation could happen manually - I could use some tool to broadcast specific events to that relay, or by some software with keys that are allowed to write.

I think even this seemingly simple 'auth only for writes' case isn't trivial - if you send AUTH to every new connection then you're forcing readers to auth. And if you only send AUTH on writes (EVENT commands) then there needs to be a mechanism to handle the pending write - relay would either have to reject the first write attempt, do AUTH and then client should retry, or relay should buffer the write request, do AUTH and commit the write if auth succeeds. And since clients can't launch the auth flow, writers can't initiate it themselves, they have to wait until relay decided to run the auth flow. NIP-42 isn't great.