On our app, nsec get encrypted through a user-defined password that is only stored in memory and never to disk.
In case of leak, you'd need the passwords to make decrypt them. It is also possible to add salt on them to make extra difficult to decrypt by bruteforcing, however, this kind of step isn't implemented yet.