I wouldn't call it critical since the maker would still do on-chain verification for the UTXO and fail then. Nonetheless they are all great findings that should be fixed!

What do you mean by spreading out UTXOs?

A SegWit output is as secure against QC with or without CoinJoin'ing.

Addresses should not be reused anyway. So until spent, the PubKey is not public and thus not susceptible to being broken by QC or anything else.

About plausible deniability: privacy is not a crime! And a very legit thing to worry about. For better or worse, you're always able to prove the trace of your coins through CoinJoins. So it's up to you to reveal it selectively.

Yes! Currently working together with Raspiblitz and Jam V2.

It's a bit more than that. In the JoinMarket protocol, the taker coordinates the transaction and is the only one that knows the inputs -outputs mapping. So you don't have to "trust" the makers with your privacy. But you're vulnerable to Sybil attacks. If all randomly cuosen makers were controlled by the same entity, they could know the inputs-outputs of the taker (or at least gain some info about it).

The protection from these kind of attacks is adding a cost to creating offers. JM uses fidelity bonds for that (timleocked Bitcoin) and incentivizes larger bonds than several small ones.

Likewise!

Blessed by the opportunity to put all my time and energy into what I believe is an important project for Bitcoin and the world. Sustaining projects like this one is possible thanks to your grant. Thank you!