Yes, that’s a valid point and one we’ve considered in our approach. While an attacker could technically change the primary name and spend mainnet gas doing so, the key question is: what’s the incentive to do that if the name cannot be used for any exploit or misleading purpose?
I see, however, I believe with careful consideration and enough rigor, we could design a ContractResolver that prevents this kind of behavior, by ensuring that once a name is set as the reverse resolution for a contract, its forward resolution cannot be arbitrarily changed. This constraint would safeguard against misleading resolution scenarios like later resolving to a different address.