Put it in amber (or any signer) deny network access to that app.

Signers should rarely receive updates. The smallest the signer, the easier to audit and make sure there are no leaks. Larger apps not only change all the time, but they also update their dependencies all the time, which makes it really hard to know if the nsec is leaking or not. Any dependency can inject code to steal the nsec from users.