this all seems reasonable, though I’m getting flashbacks to 26711 
I think this also goes back to what I think you phrased something like “we pick our most incentive compatible thing, then do DoS checks to accept/reject”. The alternative strategy strikes me as the other direction, where we search for something DoS-compatible, then pick the most incentive compatible of that.
Like 26711, this proposed per-chunk evaluation would allow easier “catch-up” even if the relayed package was somehow too large for the cluster itself.
For a first-cut we could limit ourselves to a single RBF attempt per package, catching more RBFs could be punted for future work if diagram check is expensive.
If we get some “malicious” failure like signature failure I think it makes sense to drop the rest of the package potentially. ala 26711.