I pointed this out to the authors years ago as yet another example why the CTV approach is simply a bad design.
If you want an absolute spec on things then sure, you’re going to have some footguns. But the actual covenants people want are almost always far more specific and limited and don’t imply such a footgun. But CTV forces any usage to be footgunny, because it doesn’t allow for a less expansive covenant.
One mistake made in the development of the segwit address standards is that we didn’t reserve any of the witness ID range for values that couldn’t be encoded as addresses – as it would be preferable, I think, for any scripts that will likely lose ‘random’ funds sent to them to just not have an address encoding at all so as to make accidental sends much harder. … or at least have that as an option for users when they author their scripts.