Yeah, you're probably right... It just occurred to me when I wrote that, but this is basically risk of all physical bitcoin coins.
I think the conclusion in the edit may be a bit premature without more examples instead of just one. I mean something happened similar with Smoothie involving more than 1 coin and there's no public address list to check against that:
https://bitcointalk.org/index.php?topic=2011139.0;all