Before a sender publishes their transaction, they need to select a cosigner for each UTXO they're spending. Nobody can be trusted to select a cosigner at will, or they'll choose themselves or a friend, so they have to run a proof of randomness algorithm, PORA. The PORA selects a payment address at random from the pool of unconfirmed transactions. The owners of the selected addresses become the cosigners of the UTXOs being spent in the sender's transaction.
Consider a scenario where an attacker splits their coins into an incredibly large number of outputs, with small amounts in each. By submitting all of these unconfirmed outputs to the pool at once, they are able to artificially increase their chances of being selected as a cosigner, no? The PORA isn't necessarily effective if attackers can directly manipulate the odds anyway, and, as has been mentioned, since there are no fees, the cost of doing this is effectively zero.
Without a Proof of Work or some kind of mitigation mechanism, your network would constantly be susceptible to 51% attacks, at least to my understanding.