Thanks to all the people smarter than me who contributed to this discussion, I learned a lot about collision attacks that I didn't know before.

Would this be a reasonable "executive summary" :

If you are agreeing to lock up funds with somebody else, and they control what public key to use, you are susceptible to collision attacks.

It is very likely an 80-bit-collision-in-ten-minutes attack will cost less than $1million in 10 to twenty years (possibly sooner if there are crypto breaks in that time).

If you don't trust the person with whom you're locking up funds and you're locking up a significant amount of money (tens of millions of dollars today, tens of thousands of dollars in a few years):

Then you should avoid using pay-to-script-hash addresses and instead use the payment protocol and "raw" multisig outputs.

AND/OR

Have them give you a hierarchical deterministic (BIP32) seed, and derive a public key for them to use.

----------

Following the security in depth and validate all input secure coding principles would mean doing both-- avoid p2sh AND have all parties to a transaction exchange HD seeds, add randomness, and use the resulting public keys in the transaction.