If going for an "unknowable nsec" you can't have multiple enclaves with the same nsec generated by one of the enclaves in anything other than a airtight daisy chain. Meaning if you start with enclaves A and B, you can have enclave A encrypt an nsec it self-generated to the key of enclave B, and then send it to enclave B (all under attestable code), then it exists in both and nowhere else. But they you're just moving the problem around, the same general point of failure just with a much lager bill. And you have all these encalves from day one, because you cannot update the code of enclave A to inform it of, say, enclave C. The only workable way is if it's sent from outside in, but that's the core issue again.