To process refunds to the address from which the request payment was made is not a good idea because many people may make payments from exchanges, and in such cases, the refund would be automatically processed to the exchange address, potentially causing the client to lose their funds.
It’s true that following this process, clients might lose their funds but, is that even possible! That an exchange address be flagged?
If ever their is an AML flag on an address, isn’t that supposedly to be on the input address to the exchange rather than having an exchange output address as a flagged address? That is, in assumption that, it isn’t a hack situation on the exchange itself but even then, it would make sense having to do refunds to the exchange address as the funds doesn’t originally belongs to the client.
I think this could be looked at case by case and not fully automated. A situation where the system could flag some address having AML flags on it to be exchange related and require some diligence in its handling.