Huh! I hadn’t considered the fact that revoked states would allow HLTC-Timeout paths to create pins. Another symptom of layered transactions if I’m thinking about this right. So I think you’re right, not only would you need to lock down HTLC-Success paths, as I’d thought and previously proposed, but you’ll also need to pre-sign HTLC-Timeout paths.
v3 alone probably isn’t enough, as adversary can use the ANYONECANPAY-nature of owned-by-remote HTLC-Success paths to inflate their data to generate a pin. Switching to v3+epehemeral anchor would mitigate the pin, at the cost of extra vb in benign cases 
Aside: If LN commit txns weren’t layered, this becomes slightly easier, as we only have to lock down the HLTC-Success paths since the contesting period wouldn’t be exposing HTLC outputs directly.