remember the signatures are moved. to allow them to be processed differently. and old clients cant reject the transaction simply because it doesnt have a signature, if its locked into a confirmed block by a malicious miner. instead its just overlooked.
Your example is invalid because this "malicious miner" can't include an invalid tx in a block, otherwise the whole block would be invalid and hence rejected by the network.
The tx would be invalid, no matter how "funky" it is, because you have to correctly sign the inputs, and if you do not have the private keys of the inputs, you can't provide signatures.
No way to bypass that step, it's how Bitcoin works, and it's made expressly to avoid the attacks you are describing.