the npub is both part of the event and necessary to check it matches the signature which must match the canonical formated version of the event (it is an array in a strict order with no whitespace except inside strings)

npub is the public key, which is derived from the nsec, which is the secret key, and it follows BIP-340, the signature scheme used in bitcoin's Taproot and Musig2

the combination of pubkey and signature is necessary in an untrusted environment otherwise instantly there would be impersonators of everyone, this is impossible with elliptic curve keys and signatures

and yes, that's exactly how a lot of these things work... i had some bugs with complex strings in tags recently, as it seems that instead of putting such content in the content, zaps put complex - JSON text, inside tags themselves