Yes. If someone steals your private key they can send funds with your Lightning Wallet. The solution is quotas so your whole wallet can’t get emptied immediately.
Discussion
So the nsec is still required to initiate any payment?
The nsec is required to sign the event, just like any other event. If you don’t have the nsec you can’t create a valid event from that pubkey. The only way someone could send malicious events to get funds from your wallet is to steal your nsec or if your wallet doesn’t check if the event has a valid signature.