I never understood that SPV was a check on the correctness of miners.  After all, without having all transactions explicitly you can never know whether or not these transactions were valid.  You cannot know whether there was a double spend or not.  You cannot know whether the signatures were valid or not.  You need to download the entire block to be able to verify that.
You cannot even begin to consider an SPV system that verifies the correctness of miners' verification work of a block.  So that could never be part of it.

The SPV system is not something that "keeps miners in check". The SPV system is a cryptographically secure way to know that a given transaction is part of a given block chain.  In that respect, it is working, and it is working correctly.  Wallets like electrum work that way as far as I understand.

In an SPV system, if one is given a transaction T, a leg in a Merkle tree M(T) leading to T, and the entire header chain, of which the top of the leg M(T) is included in the header chain, you know for sure that:

- this transaction T is part of the block B with the Merkle Tree M of which you have the leg M(T).
- this block B is part of the block chain of which you have the header list H.

From the header list, you can check the amount of proof of work.  In fact, one cannot give you a fake SPV result without at least having spent the proof of work leading up to the block block B ; but if you have the header list H, one cannot give you a fake SPV result with less than the proof of work in the entire list H.

It is sufficient to check that the list H is part of the actual block chain that is being produced by the mining pools, to know that you are having a genuine transaction in the currently accepted consensus block chain.   So the only things you need for SPV to be absolutely foolproof is:
- that the header list H is sufficiently recent
- that the current mining pools are working on top of this header list.

As such, you simply need to request the last part of the header list H' from a few of the principal mining pools (or from a few full nodes of which you think they are up to date) and you know cryptographically that the transaction T that has been shown to you, is included in the currently accepted consensus block chain.   Note that it is essentially impossible that the currently active mining pools would be lying to you, because in order to lie to you, they would have to spend a lot of proof of work to give you a fake block header list ; moreover, it would be very difficult for them to do this in a simultaneous way.  They would need to spend as much hashes on the top list of, say, 10 blocks, than to mine 10 new blocks.  

So, if you can obtain from the top mining pools:
- the last few block headers mined H'
- the SPV data (T, M(T), H)

in such a way that the end of H overlaps with H', you know 100% cryptographically for sure that T is part of the actual block chain.


No, what Satoshi refers here to, is that it could in principle be possible that your SPV provider is providing you with a fork of lesser PoW, that is not the main chain.  This is possible in a situation (as Satoshi saw things) where you have a very broad network of mining nodes, and one mining node decided to continue mining on his orphaned fork, and gives you the SPV results of that orphaned fork.  If you are not part of the full network, you might believe that this fork is the actual consensus, because you are not up to date to the actual chain. He might, while he's working on his false prong, include transactions that do not exist and that were never broadcast.

Note, however, that in order to do so, one has nevertheless to waste mining resources to make this false prong, in order to mislead you.

In order for this cheating to work, apart from having to mine the useless prong, he must also be sure that you are not contacting another node that might have the true currenc consensus block chain. In the current bitcoin structure, with much less different mining sources, even the price to make a fork is so large, that this is not a problem.  Miners don't waste time continuing on their fork.

Imagine that your "SPV provider" were a mining node that has somewhat less than 10% of the total hash rate, and is making hence a block two hours or so.  He might, if he wanted to, put this hash rate in a fork, instead of putting it in the consensus chain (I don't see why but OK).  That fork grows slower, but it is a correct chain, and he can give you the SPV elements of that chain.  You may be tricked in believing a recent transaction on his prong, that is not part of the general consensus.

But from the moment that you know the real chain head, this won't work.  And the real chain head is given to you by the major mining pools.  Note that the danger Satoshi pointed out, is also a danger for a full node.  If a full node is kept apart from the rest of the network, and is only fed with a false prong, that full node will be just as gullible as your SPV client.