Attacking nostr is a lot easier.
Just build a shiny new app and start asking to decrypt data.
People are just blindly trusting apps
Deep state tried to use open source to get a back door into Telegram, without anyone noticing.
https://www.newsweek.com/telegram-tucker-carlson-government-spying-1891398
Discussion
People will just blindly sign events. Until they get compromised and start paying attention. But a malicious app would also likely be pointed out pretty quickly. Web of trust helps here too. Just observations.