My approach for theft would be to have key aliasing and reasonably secure hardware wallets.

You'd have a 12 word seed you only ever enter into the hardware wallet so it can generate the signature you need to set up an alias pointing to another key. Once the alias is set, the seed is deleted from the hardware and you interface with nostr through the other key. If the everyday use key gets stolen, you change the alias.