I guess it depends on how much actual mint-to-mint transactions there are. If there are a lot, then audits are hidden in the crowd. Else, what you describe is indeed possible.

And yes, Bolt12's receiver privacy probably fixes this 🫡