Then they will open a double trade with RBF by spending high, the transfer of the person who finds it will be cancelled.
That's what you get when solving "puzzles", there is always a risk of someone else solving it whether on their own or based on your solution. But if you don't want a transaction to be replaced
easily then don't mark it with RBF! Spending the same output would make it a double spend and majority of nodes won't relay the double spend transaction.
It occurred to me that the thief would figure it out in about 3 minutes.
Are you sure, 3 min doesn't sound right for 64-bit key.
The average bitcoin transfer confirmation takes 10 minutes and can be canceled without 3 confirmations. (I could be wrong, please correct me.)
How can you get 3 confirmations in 5 minutes in Bitcoin transfer?
You don't need 3 confirmations, 1 is enough. More is for protection against 51% attacks which can not happen in bitcoin due to the huge amount of money it requires.