Um, no it doesn't? Malleability merely renames a transaction. The transaction itself is essentially unchanged. It still has the same inputs, outputs and amounts. Renaming a transaction does not enable double-spending, nor does it allow bitcoin funds to be re-directed.
What you wrote is correct for the malled transaction. The edge-case concern is if you quickly build a second transaction using unconfirmed change from the first transaction (that got malled). The reliability of this second transaction becomes questionable during malleability attack, until it receives 1 confirmation. There's a long-term solution to this edge-case (eliminate malleability entirely), and a short-term work-around (disallow wallets from creating transactions using unconfirmed change).
I discussed this in more detail a few posts earlier.