The vulnerability has been reported by Ginger in here:
https://github.com/GingerPrivacy/GingerWallet/discussions/116. I hadn't ever read about it since yesterday. The steps to reproduce are trivial, as you can see. The coordinator issues a different maxAmountCredentialValue for every round-state request, and he can use it to link input and output registration.
So, everything below v2.2.1.0 is now empirically trust-requiring.
Yep, that's exactly how this bug was caught and fixed. Having multiple teams implementing the protocol with open source code is a great advantage for hardening software.
Having multiple teams working on open-source is good, but the numerous poor decisions made by Wasabi developers so far overshadow the greatness of open-source collaboration. I haven't witnessed so many serious vulnerabilities reported in any other privacy software so far...