So I prudently decline bech32 and AFAIK, most people do the same and hold their bitcoin on address which are either P2PKH or P2SH.
That's unfortunate that there are still people who are making uninformed decisions like this and based on superstition.
Here is a somewhat similar vulnerability in Base58 encoding in a P2PKH address:
1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2, 1BCBMSEYstWetqTFn5AP4m4GFgExJJNDN2. Two addresses are valid and look alike with some characters altered.