the proposals (BIP118 is just one such proposal) for no-input opcodes don't malleate the transaction hash, that's not possible anymore.
They do alter (or malleate if you prefer) which input is used after the transaction has been written (but obviously not once it's confirmed)
no input does malleate the tx hash
the tx hash is created by hashing a complete tx. and as you yourself said no input can alter a input after its been written
the point being if i was using no-input, i made a tx and then copied the tx hash to then monitor the blockchain for broadcasts. whomever gets the tx next could then add more inputs, take away inputs. which would alter the tx hash.
what no-input does is allow alterations of inputs without needing to change the signature script. its the signature that dos not alter. but the tx hash does.. which is what malleability is all about. altering the tx hash to broadcast a tx using an altered hash so someone monitoring a specific hash wont see it.