No need to sign. Just reveal the private key. The goal is account recovery not signing security.
The phone of a homeless person will be either stolen or lost every other month or so. They can get new phones, they just need a way to go somewhere and recover their accounts. :)
Will the thief have a copy of the private nostr key then.
It's things like this why protocols based on cryptographic identity need to support ephemeral keys and certificates. The nostr key on the phone used to sign notes will be rotated every week or so. Each new key will be signed by a master key kept in cold storage with a declared validity of a week or so.