Random thought: what if each device you use creates a device key, you then update a key list that you publish from your root key. Then giftwraps could send to each key on that list instead. nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z

If your root nsec leaks then your messages aren’t compromised? and you would never be copying around these keys so maybe they could be more resistant to people pasting them somewhere and leaking them.

You have issues with needing to send many giftwraps though… but maybe not an issue once inbox relays are more widely used.