Do I understand #nostr correctly there is no distinction between identity and a keypair, so in case of compromise, there is no way to use a new keypair with the same identity?

Nostr needs some key management.

https://bitcoinmagazine.com/technical/solving-nostr-key-management-issues