Perhaps we can add a filter command to the NIP-46 RPC to fetch a bunch of messages and get them decrypted, so instead of the client fetching the encrypted DMs, sending them to the nsecBunker for decryption, and then back, the client sends the filter it wants and the nsecBunker replies with the messages directly. Or Perhaps we could have another approach where the nsecBunker is a relay, authorized clients AUTH themselves, publish to that relay and the nsecBunker/relay signs and publishes the event itself to the specified relays (added like a tag or something). And for decryption the client just gets the messages decrypted straight in the AUTHed wire.

Sure, or just change it from decrypt to getSharedSecret. That should already be enough to solve everything without having to turn the nSecbunker into a relay.