there is no user accounts and without the key you can't sign events.

Okay that is clear to me. Overall, that's a bigger security issue innit? All the power is focused on one single key instead of distributing it across different auth methods Am I missing something?