I would not use a p-tag since anyone can copy all the p-tags out there and send you a bunch of "private notes" in a DoS attack.

I would derive the key, sign with and filter by that pubkey instead. You basically get the same privacy (people can know how many notes are there for each key/p-tag), but now you are the only one that can create those events (no spamming)

Which means that I wouldn't reuse the GiftWrap kind for this.

Agree that you don't need a seal. The goal for the seal+wrap strategy is to privately connect two keys, which you don't need here.