The problem with trying to have a canonical format is that if you miss anything - anything, a single bit that an attacker can tweak without changing the hash - you're back to square one.
That isn't a reason not to try.
The core problem is that the transaction hash is different from the signature hash.
The possibility that the EC signature is malleable can't be defended against though.
Even then, once it is discovered, a canonical version could be picked (unless you can create an large number or it is expensive).