Anyia, stressed girl 🏳️‍⚧️ on Nostr: nprofile1q…ufle4 the "jwk" member. Embedding the public key with which to verify ...

nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq7yf7cxzxz4kwf24zmflvyqqtrylsjwm5q9a074u5ger57rmzz0aq0ufle4 (nprofile…fle4) the "jwk" member. Embedding the public key with which to verify the JWT with seems like an invitation to anyone+dog to craft their own JWTs with whatever claims. A validating server would still need to look up the key ID, and need to verify that the pub key matches what's embedded, so why embed it in the first place?
I must be missing something?