you are as naive and stck in the box as lauda..

its time you took off the fanboy hat and thought outside of the box.

i said the malicious pool will make a segwit!!!!!!!!!!!!!
a segwit transaction
a segwit transaction
a segwit transaction

why the F*ck are you talking about p2pkh... seriously..

so one more time.

malicious pool makes a segwit transaction.. that is using op_0.. not a op_true..(they are different things)
the transaction grabbed a random input from anyone. knowing that right now today the signature was not important. because current network wont see or care about signatures.(because of op_0)
again remember its a segwit transaction not a standard p2pkh.. so the arrangement of where the signature should exist would be different and thus old clients would just see it as funky
it puts it into a block.
so now its in a block, old clients cant just drop it. instead old clients look passed it not checking it because its set as op_0 so they will blindly say it the block seems ok even with the funky TX..
this funky Tx has a destination output of 1MaliciouspoolAddress (which the pool does own the privkey too, and will use later)
lets say this happens today.. long before segit is a thing

now.. have a coffee and let that part settle in.. do not confuse the part above with the part below.

ok, fast foward one month..
the pool has lots of confirmations accrued for that transaction and no chance of an orphan..
now all the pool needs to do is spend that 1MaliciouspoolAddress output in a new input the standard way signing it with the privkey they do have