For any signed message, there is only ONE public key that could have generated that signature. You either know that key, or you don't. The network can either deliver or help you discover the key, or not. That's way different from trusting a third party to not lie to you about authenticity or the source of the message.
How does that work in the context of the whole system where I need to link a key pair to a person? If I know you in real life we can check key fingerprints or something (GPG suggests statistically nobody will) but otherwise I have to trust a third-party who says that the Bob I want to talk to has keys X, Y, and Z.
If you don’t do that, as soon as it becomes popular enough to attract scammers you’re going to have Mallory publishing keys with Bob’s name on them and a million random people who have incredible financial opportunities for you. Most of the decentralized systems shift that problem to another system like email or DNS, Facebook/Twitter/GitHub/etc. at which point it’s worth asking whether there’s still value in decentralization at that point.
Nostr is quite open for what options people use to become more trustable. People can pay couple thousand sats to get a verification, or as you say Nostr can also do the same with shifting to web of existing sources of identity.
E.g. it is well known that this Jack is CEO of Strike (strike.me) and so any nostr client can verify that https://snort.social/p/jack@strike.me is trustable, because it serves his public key here: https://strike.me/.well-known/nostr.json
