The event can be faked so currently I could zap you without paying you or claim you zapped me, right? The former could be prevented by requiring your signature but that would make zapping interactive not only with the wallet but the nsec, too.
Correct. Today we have to trust the zapper service to be truthful