Is the idea to AES-encrypt the .content with a password first, then do the NIP44 encryption? That way if the nsec is compromised, at least the records are still encrypted? 

 Correct, somewhat of a 2FA / post compromise secrecy.  

 Awesome. Thanks for the suggestions. I think it will be pretty straightforward to implement. Next cool feature project!