> But, that's true for everything. If the attacker randomly comes across your private key, he's also the owner of that public key. Multi-sig or not.

I used to think that multi sig is enforced on chain and the chain would require signature of both keys to move the funds.