currently we just use a "Nothing Up My Sleeve" point which no one knows the private key of
You should not use that, unless it is strictly necessary. It is better to pick a public key, that is just N-of-N multisig of everyone involved. In this way, there is always a chance to spend by key (and make it cheaper) if everyone agrees.
In general, Taproot addresses should be "always spendable by key, and sometimes spendable by key, and by TapScript".