Thanks for this! It is not far off from what I have.
In your approach though, each input will have a share and proof. In mine, all inputs that a signer has the private key for are combined into one share and proof. Can we combine these into having one proof for each scan key and set of inputs? Perhaps a global field where key data is 33 bytes scan followed by set of indexes?
Constructors also need to check if there are any ANYONECANPAY sighashes on any inputs before adding a silent payment, and updaters need to check as well, but I suppose that can be done without modifying PSBT_GLOBAL_TX_MODIFIABLE. The reason I added a Has Silent Payments flag to it is for the same reason there is a Has Sighash Single flag.