Something like that, but with key revocation you need to have a certification authority which doesn’t exist here since the keys are self-generated.

This is more of a one-time message that indicates that the npub has been compromised. The relays would still be free to ignore it unless it is core protocol.

Of course the person needs to know their keys were compromised in the first place (which they will not know unless the atacker publishes something or makes some other changes).