For relays, all messages are signed by your nsec. If your note I'd modified in any way, the signature will not match and a digital signature is not like a physical one that can be forged,: it is impossible to tweak or remake a signature to match.

For clients, they are responsible for validating signatures and dismissing/ignoring invalid junk. They usually also look after your nsec. This is where things get technical, but we can probably rely on social protections.

Clients should be open source. There shouldn't really be anything to hide, and technical experts will audit the code and raise the alarm if it does anything bad with your nsec; like if it leaks it or makes changes to your notes that you don't expect before signing.

There was a client in the past, I think it was by thndr, and they went the route of letting you create a username and password. Behind the scenes they would create and look after your nsec for you so you don't need to worry about it. This was critisized heavily because I think the client was not open source, the servers looked after your nsec so it definitely wasn't private and your secret, and so they could TECHNICALLY request deletions and create new posts on your behalf while you are not paying attention. Ultimately you had to put your trust in them the same way you put your trust in Twitter not to ban you or remove your posts.

On the other side of the spectrum, we have remote signing apps and even devices that some clients support. You can imagine someone as important as the POTUS who writes infrequent but important messages would carry around a dongle that only unlocks with their fingerprint and would need to use that to sign each message they write or approve.

I actually use Amethyst for my main client, but Amethyst doesn't know my nsec. Another program called Amber has it, and when I send a note, it will ask Amber to sign it, Amber will show me the request in a pop-up and I can inspect it to see what it is signing before I approve it. If Amethyst wanted to do anything behind the scenes without me prompting, it would need to ask Amber and I would see a popup, so I know that Amethyst cannot misbehave as long as Amber is secure and not colluding with Amethyst. I actually auto allow things like likes and zaps to reduce the number of taps I need to make for such small things and zaps mean nothing unless I open my wallet and press send the way I have it set up.

When I go on my laptop, some clients allow me to log in by connecting to my Amber client. The website does not get my nsec. When I post a message, Amber let's me vet it and if the website tries anything else, I see a popup on my phone and I can reject the action if I don't like it.

Basically, this stuff has been thought of and there are solutions. The more you are worried about malicious clients and your privacy, the more work you need to put in yourself to understand it all and take control. The devs put in even harder work, they wanted protections and they built it and they now support and maintain those solutions. You just need to shop around, find the right solution for you, use nostr and ask around to see if it is legit and then use it.