The signature itself can carry data,  if you know the 'private key'  you can completely recover the nonce.  (or vice versa, e.g. a predictable nonce in the signature lets you recover the data hidden in the 'valid' public key).   So in that case you've just moved the storage from one place to another.  Of course the storage is prunable, but so is op_return and witness data.  The 'proof of key' data would be presumably MORE prunable but this starts to feel like hair splitting to me.  I have suggested some more elaborate ways of proving keyness that require massive slowdowns, switch to a far sketchier bilinear group, but which eliminate the signature side channel... but they still do nothing for 'real key' storage.   The work used to grind real keys is also conserved, unless address reuse is banned.

I think tromp underestimates the amount of data you can store directly in 'real' keys too, if you don't mind the receiver having to be somewhat computationally expensive (such as requiring the resources of a fast desktop class machine to keep up with the chain) you can store on the order of 64-bits per output in the key (by DL solving the keys), 8 or more bits in amount LSB.  If you don't mind building up a large stash of coins in your wallet you can store several bits per input in the form of what coins you select and what orders you select them, and so on.   So at best you increase the attackers fee cost by a modest constant factor.   It's not nothing but the cost it comes with in terms of reduced functionality and overhead are considerable.   If they stopped the abuse completely *maybe* you could justify-- but like, say the threat that someone will embed illegal information in order to harass node operators is not going to be meaningfully stopped by making it 5x more costly because they could only store 9 bytes per 40 bytes of output data.