Nope. They can derive your spend public key and scan public key - that’s the sp address- not the corresponding private keys. Those need to be protected, same as the nsec.