there is a good reason cryptography is not simple

as I write it up I'm leaning toward this (pns = private note storage):

// device_key is users nsec or device nsec

pns_key = hkdf(device_key, "nipXX")

pns_nip44_key = hkdf(pns_key, "nip44-v2")

ctext = nip44_encrypt(pns_nip44_key, nonce, note_json)

for non-fixed-length sure