It's non-custodial because funds are stored in 1-of-N multisignatures and the protocol allows for you to get out any time you wish
Again, this 1-of-N fallback option is irrelevant when it's cost-prohibitive for individuals to transact on chain.
For the purposes of this thought experiment, assume a single transaction on chain is more than the net worth of most individuals.
The 1-of-N may as well not exist.
The 1-of-N is a shared address for everyone in the settlement pool.
I've modified the design a bit so that you don't directly transact from the 1-of-N address.
Now, each settlement aggregates their MuSig key into a larger, M-of-N key (where M > N/2).
Which means, all of the funds of this protocol will now be stored in a single, shared MuSig. Now there are no fund loss issues when the computer running a settlement pool shuts down abruptly.
All settlement pools keep a state of settlement public keys and each pubkey and virtual/physical address assigned to each user on that pool. But they do not share any private keys of course.
If a settlement is shut down for whatever reason, any settler from that settlement can start a connection with any other settlement, send them a BIP322 signed transaction for the 1-of-N MuSig (to prove that they were part of a pool). Once the settlement verifies the signature, the settler can send a proper 1-of-N MuSig transaction for the desired amount [of course this tx will be invalid on-chain, because the 1-of-N MuSig is not funded]. The settlement will then make an entry in its database to credit whatever addresses were specified inside it with their respective amounts, when the next block is mined and a global M-of-N MuSig transaction is made for it.
Settlement pool owners earn fees proportional to the volume of transactions they process, so all tx fees for L1 will be paid from settlement pool fees.