The thing I don't understand is why can't the software (of CoinJoin or Lightning) warn the users for RBF-enabled unconfirmed parents. If the users are afraid of being victimized in this way, they only have to avoid dealing with inputs whose parents are RBF-enabled and unconfirmed.
I'm not convinced that this change will have a good impact, unless there's another danger I haven't thought of (or understood). Sure, nodes could replace non-RBF transactions since 2009 if the users changed the source code, but it feels like we're now moving into something else.
For being successful, it's needed that majority of nodes see transaction_2 first and the honest party (the one who does CPFP) sees transaction_1 first.
I guess the attacker knows the victim's node URI?