I think the major issue is that the service has access to both, the encrypted nsec and the key to decrypt it. Plus and service that is between the service and the client will have access to both, e.g., Cloudflare, TLS termination thingy. It’s just not a good approach to the storage of keys unless the organization hosts it in their own trusted infrastructure 🐶🐾🫡