Even if you implement nip49, I still think you need to include nsec export. Vitor says nip49 is not meant to replace nsec, and nsec should still be stored in a separate place. If you permit a user to generate new keys, then you need to permit nsec export. Otherwise, users might be left with a lock in situation to your bunker - especially now when client support for all these new nips is incomplete and buggy.