Just noting publicly here:
For “top block” style systems we would have to ensure that all resulting clusters remain “top block”, otherwise pinning can trivially happen by creating a top block cluster, then “cycling” away the CPFP on a large low-fee parent transaction. Ensuring each state transition results in “top block” is essential.
These kinds of checks can likely be achieved, and state transitions simply rejected on failure, but it’s a bit more complicated than I was hoping!