That’s a good question. It’s definitely far less important post-segwit. I’d call it a nice-to-have, for reasons of not needing to mess with txins on malleation (segwit means that dependent transactions can be adapted if their parents are malleated, but someone still needs to do that adapting).
The concern here is that if either of the two constituent schemes are broken (perhaps secp256k1 by a CRQC, or the post-quantum scheme turns out to be classically broken), anyone can replace that part of the hybrid signature with another one (because they, like everyone, have the private key). I don’t see how the scheme itself matters here, unless it’s a unique signature scheme (i.e., every message/key pair only has one valid signature, like BLS).
Indeed, in a multisig setting you need to trust your co-signers not to re-sign. Adverserially, protection from malleation is only something that makes sense in the single-signer setting. The concern with a hybrid scheme where one of the two might be broken is that you now have to worry about anyone in the world malleating.
I do not understand this. Deterministic signing constrains honest signers, not adversaries. You cannot prevent adversaries who learn your private key (or the part thereof that corresponds to the broken scheme) from signing with whatever algorithm they like.
I haven’t read it in detail. It looks pretty similar to this, but applying to the public key, rather than the public nonce as done here? The scheme here needs 32 bytes extra in the public key (for P) and 32 bytes extra in the signature (for s).