It's one-way delivery. We each have an encryption keypair (kyber) separate to our signing keypair (dilithium). I generate a random secret on the fly and encrypt to your public key. Now you have it, so shared. But nostr logic doesn't really allow for 2 keypairs at once, so nobody in this future has a kyber key ready to go, it's all like that new-ish NIP can't remember the # for separating signing and encryption.