My understanding... The npub is the public part. It's all basically public record (unless you encrypt the content). The nsec is the "key" you use to sign all the events (notes, posts, change to your profile). Best practice is to use a remote signer or browser extension to sign in rather than give out your nsec to all the apps you want to test.