Yes, hence the need also to proxy.

With both you can keep an eye out for any unusual looking identifiers being passed around, tie that back to the code and if not, ask questions in public.

9ener1c

Very true, although that is a more expensive attack to pull of successfully

shyfire

nostr

Plebstr - Beautiful nostr client for android, ios

Monotone

unless you compiled your open source client yourself you don't know what the "open source" client is doing with your key either. the compiled version from the app/play store can be different from the publicly released code and you would never know it.