When you complete a signature (Phase 2 above), that session_id has already been destroyed (beginning of Phase 2). A new PSBT with the same session_id would have to start again from Phase 1, and a new session with fresh randomness (rand_root in my post above) would be created (even if it has the same session_id).
The only malleability in the PSBT while a session is “active” is after the session is created in Phase 1, and before signatures are produced in Phase 2, which is what I was commenting about in the last post.
Perhaps I should make it more explicit in the description that Phase 2 fails immediately if a corresponding active session_id is not found.