Good question. nostr:npub1klkk3vrzme455yh9rl2jshq7rc8dpegj3ndf82c3ks2sk40dxt7qulx3vt suggested to additionally encrypt the content with AES/password before encrypting with NIP-44. So long the password is stored out of band completely, it still should be protected if the nsec is compromised. 

In the end, all security relies on the protection of a private key stored somewhere. I’d like to have that under my control versus a randomly trusted admin.