PoS is mining. It's cpu-mining, not much different than what satoshi designed for Bitcoin.
But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first. Even in your scenario.
That's entirely inaccurate.
Then why does your attack require
buying a private key that has mined on the network?