What should users do with their Whirlpool change since they can't spend it to anyone besides the specific source who originally sent them the coins in the first place?
Personally, I combine toxic change with other toxic change where lack of privacy is minimum. I don't use it that much anymore though, because Monero is simply superior than both of you. There is an entire article on what to do with toxic changes, though:
https://bitcoiner.guide/doxxic/.
It is Whirlpool's fault because Whirlpool doesn't allow you to consolidate your coins privately like WabiSabi enables.
It has been said multiple times already that it allows you to consolidate them with a mix partner. At this point, you're just repeating the same soundbites. WabiSabi != Whirlpool, so yeah, it doesn't allow you to consolidate
just as WabiSabi does.
Your solution would allow Bob to DoS the coinjoin coordinator by choosing an output address that matches one of the input addresses.
No. The coordinator would simply refuse to work on a coinjoin where outputs contain addresses from inputs, just as you've programmed it to refuse "naughty" coins.
Nothing is
provably revealed, in the sense that I can be 100% sure to ownership identification, just as if I send all of my coins to a single address, you can't tell if it was self-transfer or I spent them to a merchant. But, privacy is about possibilities, and input / output collaborations and merges only worsen uncertainty. There is an entire analysis technique called
Boltzmann score that computes resistance to this
potential linking. WabiSabi coinjoin is worse in that matter, as it appears in kycp.org.