You just explained to me that everything needed for an attack is around 15BTC and linking the right UTXOs at the right time to my identity and you can successfully attack me.
As I explained in the Twitter post, you can't be successfully Sybil attacked because you would be able to detect the coordinator is malicious when you are not allowed to register a second UTXO that is already private.
I think you're missing something here. Suppose the coordinator isn't trying to attack. What if Coinfirm does?
You have a point. What if they allow only "illegal" UTXO to participate in a CoinJoin transaction? All outputs of such a transaction can also be assumed to be associated with illegal activity and can be further tracked by Coinfirm. Potentially, Wasabi Wallet CoinJoin can act as a honeypot for criminals because it consolidates all inputs and outputs into clusters convenient for chain surveillance.
I can't verify that this is not already happening because Coinfirm API is not open-source.
Attack scenario: Coinfirm makes the Wasabi Wallet coordinator accept only dirty UTXOs in a single transaction and then tries to catch at least one of the criminals on the output side. It is kind of a Sybil attack but you don't need to pay additional fees and apply extensive filtering to UTXOs since they all belong to bad guys.
It doesn't make a difference if Coinfirm is involved, the Sybil attack would be detected and interpreted as a malicious coordinator by clients the exact same way.
I've already explained that address reuse is bad for privacy, it's in the Bitcoin whitepaper
Which is exactly my point. But you don't seem concerned with Wasabi doing address reuse in coinjoins according to all those people who argue it does.
What do you mean "I don't seem concerned"? I have never made any exceptions for address reuse being okay: