That is, the public key would be discarded on an empty account. No?
Yup - but if when you go to create a new account you can include the public key it must use (this will require a fee to stop spamming) then it wouldn't matter if the same account with a different public key had existed before (and no way to "drain" that account).
The scenario I see is more along the lines of a merchant creates one address each for payment from each of his customers. An attacker watches the blockchain for these accounts. He'll know they're there when the merchant does a sweep of them into the merchant's main account.
The attacker then generates private keys that have public key's whose first 64-bits match those of the merchant's sweep accounts.
When the blockchain pruning event happens, the attacker registers those new public keys.
When an unaware shopper uses one, the money goes to the attacker, not the merchant.
Ok, not practical now because it is too computationally expensive for *current hardware*. But it outlines a potential flaw.