The nsec is required to sign the event, just like any other event. If you don’t have the nsec you can’t create a valid event from that pubkey. The only way someone could send malicious events to get funds from your wallet is to steal your nsec or if your wallet doesn’t check if the event has a valid signature.