The problem is that you use the same private key for both signing and encryption. Bitmessage does not do this.
By using the same key for both signing and encryption and you being able to influence the input / read output there are certainly additional attack vectors. For example you could create an unsigned transaction and try tricking the other party into signing it like a normal message.
In the example you gave, wouldn't that be an attack vector that is available without any encryption? For example, using the challenge-verify mechanism that Luke-Jr showed above, you can use an unsigned transaction as the challenge and the user would sign it and send the signature to the malicious attacker. At what step does the attacker need the encrypt/decrypt part?