> Companies can easily set up a bunker and just share the bunker credentials with the employees, not the key.

I think for smaller ones that works. But for bigger ones, it's the "nobody can ever un-see an nsec" problem. Some jaded IT department head leaves and takes with him a lifetime license to sabotage. (At least the lifetime of the nsec, anyway). Can't allow it. And people come and go all the time. And nobody's going to dare ask the higher ups to hold an nsec .

I get that you can try to engineer a Frost-based "unseeable-nsec" system, but that freezes everything in state, and that freezing in state creates more problems than it solves. (Plus try explaining it in 100 words or less.) And making seeing the nsec a no-go by outsourcing "nsec holdings" to a trusted third party that will generate bunkers for your company as per a business contract just moves the problem around.

But companies as relays I do like. Hey company, are you able to manage your AWS VMs? Yes? Good, then you can manage this too.