I do not see how any outside observer can ascertain which co-signer signed off on any given payment. The public key ordering only follows a “numerical ordering”, and is meaningless to that outside observer. The signature ordering must match the public key ordering and has no bearing on which co-signer signed off.

Now all the outside observer can tell that it is M of N, and that M ≤ k ≤ N co-signers signed off on it. But that is not a clear downside, in fact I find it hard to not see it as an large upside in many situations.

What I mean by this is that we know threshold has to have a required lower key reconstruction threshold than signing threshold. This means that if participants collude and reconstruct the private key between them, and then sign at the lower threshold than the desired signing threshold, there is no way to necessarily prove that the undermined bystanding participants did not sign off on the payment or action.

However, with a exposed key-based approach, while an outside observer cannot see who signed off on a payment, an inside observer can not only see but also prove who signed off. This to me makes the potentially much larger and somewhat less private exposed key approach the default to recommend until there are known provably “safe enough” configurations that users can adopt for threshold with real independent third party services that the user wants to use rather than selective mates of the wallet vendor (which is perfectly fine in the short term/testing phase).