If the k:33333 signed the feed GUID then that at least would prove that you say you "own" the GUID, but still the feed could be modified and there is know way to know what the original one is 😞
That's a signature of nothing though. sure the pubkey signed that event but it only proves that they signed a k:33333 event, it doesn't relate to the feed at all
For example I could easily copy that feed, modify it, host it on my own site and say its your feed
https://npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr.nsite.lol/feeds/example.xml
The difficulty of cryptographic signatures is that they only work if your able to hash and sign the content itself. otherwise they are kind of pointless
Discussion
With podcasting, pirating a feed has always been possible. Although that should be addressed, the problem I'm thinking about isn't pirating so much as it's redundancy. If you, me, and Spencer all had servers, I want to host yours and his feed as well as my own as a backup, and you guys do the same for me. I'm trying to think of a way that I can prove to your server that it's me that's actually requesting the feed update, and not someone else. Perhaps the way to do it isn't the signature in the feed, but I encode the whole feed, sign it, then send it to your server. I'm in your list of approved npubs, so you verify it's me, decode the feed and replace the old one.
I guess this still doesn't solve the problem of how to verify my feed hasn't been tampered with when being stored on someone else's server. You could very easily replace all my value addresses with your own prior to publishing, so I'd have to trust anyone I was using as a redundancy. Seems signing the whole feed is necessary as you were pointing out.