yea I debugged some more and it does actually check if the private key belongs to that read-only account so that can't be it. I did some DB updates in the past, maybe I missed something related to bunker accounts. Could it be that the "wrong" nsec is the bunker client key?

I think you could try to add existing account again and it should override the wrong keychain data, if that works I don't need to add extra tooling to recover