no, their tie their pubkey to someone elses name. Signing would prevent name-spoofing.

For example, i cannot post a message to a relay with your pubkey because i can't sign the message, but i can create a profile with your name and my pubkey because there is no verification. I don't need to hack your server, just create doubt.

btw thanks for responding, i'm implementing a relay and getting to grips with the NIPs, so would be good to know if i misunderstand things.