Is the idea to AES-encrypt the .content with a password first, then do the NIP44 encryption? That way if the nsec is compromised, at least the records are still encrypted?