My paranoid thought experiment relies on the fact that the words for the Electrum passphrase are fixed and known.

By default, the 12 words from 2048 do offer a huge combination. As has been pointed out, the risk of accidental duplication is small.

However, if my understanding is correct, in my thought experiment it is easily possible to generate the private keys and addresses that would be created by a real Electrum wallet using the 12 words. A large number of addresses that would result from these keys could be generated relatively easily.

In the attack, the blockchain could be scanned for one of these addresses, and finding any one would confirm that there exists (or existed) a valid wallet with potentially unspent coins. The wallet funds could then be stolen by generating new spends and sent to addresses owned by the attacker.

While large amounts of computing power might be needed, this attack would work against airgapped wallets as well as those on-line.

Is this a feasible (if computationally expensive) attack, or have I misunderstood?

Adding more words would make the computation exponentially more expensive.