I think someone could make a malicious extension that that doesn't validate and can exploit a service just reading the public key
Discussion
Would be interesting to try and do this. You’re making me realize I have a few assumptions about how nip 07 signing works.