Right. So after doing a little digging, it seems that the unhardened path can compromise all the coins in a wallet if the xprv of one address is compromised.
If it's the xprv that's compromised, it doesn't matter if it's unhardened or not, hacker can just derive the private keys from it.
You must be talking about the parent xpub and one of its xprv pair's child private key.
Basically, the wallet's "
extended public key" and a "
private key".
Of course in MultiSig, it needs the
N" number of cosigners, not just one.
And the other cosigner's xpub and private keys are unrelated to each other, that unhardened derivation vulnerability isn't applicable to each cosigner's keys.