“Not your key, not your coins” cuts both ways.
Until someone derives the private key, the puzzle coins are ownerless data on-chain, yes.
"Derives the private key"?
That's basically saying "I never owned this key".
None of these arguments will ever hold in any court on this planet, simply because it is impossible to ever prove that you were the first to "derive the key", craft a TX, and having it reach a P2P node, before someone else. That shit is dealt with only after a block is mined and issue gets settled, not before.
It's one thing to hack someone's rightful assets, and a totally different thing to have 100 dudes competing over who ECDLPs first a minuscule weak key, in a mempool, over some assets that don't really belong to ANY of them until
the block gets mined and the conflict is solved.
Ownership, in a legal manner, involves proving that the private key was OWNED by you, not that it was "derived". This is done by showing that the private key was indeed a full entropy 256-bits random blob, not a lame-ass zero-filled empty blob with a few bytes at the end.