Nostr is a decentralized protocol that is not private by default. Kyc or no-KYC has nothing to do with the Nostr protocol. Nostr doesn't come with a VPN, just like the internet.

"Relays know your IP address, your name, your location (guessed from IP), your pub key, all your contacts, and other relays, and can read every action you do (post, like, boost, quote, report, etc) except for Private Zaps and Private DMs. While the content of direct messages (DMs) is only visible to you and your DM counterparty, everyone can see when you and your counterparty DM each other." -Amethyst on Github

There are malicious nodes. Lightning is not private by default, especially if you're running your own node and receiving, sending is more private. By contrast, Monero is private by default. 

Nsec can be compromised just like any other password, etc.