Ok but I guess same question - why not just verify the app is signed using the Nostr identity of the dev you already trust?  What does a separate siloed web of trust gain you?

pgp was great, but Nostr obsoletes it.