Nostr profiles should reference a canary event ID. If that event is ever found, the account was compromised.

So ... when creating an account, clients could allow you to author but not publish a revocation kind-1 message and store the event ID in the profile. Other clients would never (quickly) delete replaced such canary event IDs, so if ever such an event is found, the account could be marked as compromised.

Now, if I suspect my key was exposed to hackers, I can publish that event.

Even if not supported explicitly, clients could implicitly know what's going on from whatever the message contains as it can explain the whole concept.