I agree and I wish more people understood this distinction.
To say that NFTs are all scams is like saying that pixel shaders are all games. One is often used to implement the other, but they're not the same thing.
NFTs will likely find niches outside of signifying ownership. For instance, I'd like to see them used to denote package maintainer status. That way you could have automation that allows package maintainers to do certain maintenance things like publish the hash of the next version, and if they transfer the token to a new maintainer, no permission rejiggering would be required.
Sharing private keys is bad practice for a lot of reasons.
Presumably in this case you're doing this without a third party like github (e.g. the code is stored on ipfs).
Rotating that rsa key requires all of your users to update things on their side so they'll continue accepting updates signed by the new key. That's a problem because you want key rotation to be low-effort so people do it just in case, and notifying every user is the opposite of that.
On the other hand, when a new user or organization takes over for an old one re: publishing updated versions (presumably there's a smart contract that gets updated with the latest trusted hash by the tokenholder), that's an event where you really do want all you users to scrutinize the new maintainer.
Key transfer is opaque, NFT transfer is transparent.
Token ring protocol was useful, back in its day. Those tokens were also non fungible (admittedly, there were weaker assurances around that nonfungibility, but I think that's orthogonal).
