Ok, I was wrong. The event ID (which is sha256 public key, created_at, kind, tags, content) is signed by private key. The only thing I can think of is that signature is not verified by client. But to have a better understanding Iād need to spend some time looking at the events and nips! š¶š¾š«”
