Here A has signed their input, which can then be broadcast by itself or with another input attached by an outside observer to meet the correct amount, and the output will go to an invalid destination. Regardless of whether B signs with ALL or not, the outside observer can strip B and add their own input or not. Therefore it is insecure for A to sign at all with ACP. Am I missing something?
Even with trusting the other signers, an outside observer can strip out your ACP inputs and add their own to them right?