fiatjaf hasn't even considered that clients could be configured to make a new key every auth request except for to paid relays also, defeating the privacy invasion angle completely and pointing back to the IP tracking problem