It can be an attack vector as you describe. I would keep any onchain zaps isolated from other wallets. It is a privacy issue for those who link real life identity with an nsec. This on chain zap is almost like nostr kyc. For the uniformed zaps can be a legal / tax burden. The arguement made is that zaps are public already, but lightning and cashu make big differences and there isn't dust.