I think that the covenant script does not actually enforce all that.
It enforces that the amount and scriptpubkey of first input is the same as the amount and scriptpubkey of the first output.
But It does not validate the sizes of the buffers - that means that target_scriptpubkey_buffer can contain extra data, for extra outputs.
The fee_scriptpubkey_buffer and fee_amount_buffer can contain extra data, too, for extra inputs.
If the script_pubkey_buffer contains extra data, it will interfere with calculation of spent_scripts_single_hash as that extra data will be taken as scriptpubkey data, while it will need to contain the amounts. But IIRC, non-standard taproot outputs are treated as anyone-can-spend by miners, so maybe some manipulation is possible here, too.
I think the script should have size checks added for the sizes of all the buffers, just in case.