It likely improves security across the broader ecosystem for there to exist many hundreds of different seed derivation schemes.

What will save this and many other schemes from brute force adventurism, is the fact that once you use this to generate the master private/public key pair > individual key pairs > address hashes, there is no way to tell how the seed was derived.

So unless you go announcing it on the web, (too late for you) brute force attacks have to come through the hash-wall, and derive a private signing key from a matching public key.

This is not publicly know to be possible. Social engineering is where it's at: do not post on Facebook that each of your family members is memorizing 3 words for you.