I think the fact that there's no secret creator of nostr kind of alleviates the risk of a csw style attack. Perhaps the real risk is private equity coming in with a centralised app and calling is nostr. I don't really think this could be successful though, because I feel that nostr users will always be those who use it for its decentralised nature and are aware of it.