I address this issue in the security caveats. If you keep scanning local, no problem. If you use a scanning server, every key is like a root equivalent. BIP 352, because you have hardened derivation from the nsec, this is not a problem. With this approach, you do.
https://gist.github.com/trbouma/77648ebe1005b181b67d1c4b42c7f31d
Tim Bouma
npub1q6…nx7d5
2026-05-25 23:46:18 CEST
in reply to nevent1q…zc2v
Author Public Key
npub1q6mcr8tlr3l4gus3sfnw6772s7zae6hqncmw5wj27ejud5wcxf7q0nx7d5Published at
2026-05-25 23:46:18 CESTEvent JSON
{
"id": "7de898ee60242a270d280e4334a46b97e33a38e0a2e027e9f0685ee8c4b78f81",
"pubkey": "06b7819d7f1c7f5472118266ed7bca8785dceae09e36ea3a4af665c6d1d8327c",
"created_at": 1779745578,
"kind": 1,
"tags": [
[
"e",
"348eba4d0eabe5fe8c9f501fa4e1fb34be58658dafbc371b48b9dce0e3f9f2e0",
"wss://relay.ditto.pub",
"root",
"06b7819d7f1c7f5472118266ed7bca8785dceae09e36ea3a4af665c6d1d8327c"
],
[
"e",
"41749b81e09fcedacc82a75509aa079bea27bb99c7fb90ab9e87a0d21e72d927",
"wss://nostr.openhoofd.nl",
"reply",
"12ee03d11684a125dd87be879c28190415be3f3b1eca6b4ed743bd74ffd880e6"
],
[
"p",
"52b4a076bcbbbdc3a1aefa3735816cf74993b1b8db202b01c883c58be7fad8bd"
],
[
"p",
"12ee03d11684a125dd87be879c28190415be3f3b1eca6b4ed743bd74ffd880e6"
],
[
"r",
"https://gist.github.com/trbouma/77648ebe1005b181b67d1c4b42c7f31d"
]
],
"content": "I address this issue in the security caveats. If you keep scanning local, no problem. If you use a scanning server, every key is like a root equivalent. BIP 352, because you have hardened derivation from the nsec, this is not a problem. With this approach, you do. \n\n\nhttps://gist.github.com/trbouma/77648ebe1005b181b67d1c4b42c7f31d",
"sig": "b02821fb359b4d1b28fe2d3f1fc6abcaf21faab27afed87811c58a6f7eed62b35e8d8929f4f1d51d21aa57ef0ed87f0cbae9bc28dbd3245c5076248ea5aaeac8"
}