The inner messages are unsigned so there's always deniability.
With nostr:nprofile1qqs8t4ehcdrjgugzn3zgw6enp53gg2y2gfmekkg69m2d4gwxcpl04acpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsvd43n5 I wonder how privacy works with big groups?
"Two men can keep a secret if one is dead." yet you are talking about private group chats of thousands? If one group member started leaking the chat in real time anonymously, would these messages be verifiably authored by their pubkeys or would the leaker have to expose his own pubkey for that?
Discussion
So how do group members know the message is from the claimed author? Do they have an audit trail of the envelope key belonging to an npub?
Yes, you must reveal your nsec to get the complete audit trail and reveal your device too I think, because after the invitation they use other keys, I'm not aware of the exact process myself, but this is what I've understood so far.