1st one makes sense. 2nd one also makes sense but it's not necessarily near 100% right? So I'm thinking of two things:

I dabbled with the idea before with kind:0 can have a new content tag that specifies a proxy npub and nostr clients accommodate this, where you keep your main npub safe and put a more exposed npub in that kind:0 value, and clients that show kind:1 would show on your main profile posts from that proxy npub with a UI label saying that this is a proxy post, and people following your main would see posts from that proxy npub as if it was you.

This is both a preventative measure and a countermeasure. Decrease the chance of compromising your main npub, and in the case of a compromised proxy npub, you'd just swap to a new proxy npub.

That's the first thing. The other thing I'd want to mention is pre-setting a 'just in case' npub, where on nostr wallet/book creation (there's a complex way and a simple way, but let's go with the simpler one), you'd generate and attach an npub to the first one, and somewhere down the line, if it gets compromised then you'd using that 'just in case' npub and people would know, pretty much 100%, that npub is actually you and not compromised. This would also help with the first scenario you mentioned.