You don't need to worry much about an attacker, Bitcoin network is so big that attacking after 1 or 2 blocks not worth the hassle. And there is this option where you can turn off RBF, the receiver sees the RBF is turned off for a transaction and would accept it even with zero confirm.
If you're selling digital goods and services, where you don't lose much if someone gets a free access, and it can't be resold for profit, I think you're fine to accept 0 confirmations.
It's mostly only if you were selling gold or currency that you'd need multiple confirmations.