Yes it would be problematic if honest customer pays from exchange where they do not control private key. Dishonest customer notices this (because exchanges tend to batch transactions and are easily visible) and says that was my transaction. You would not likely get the exchange to investigate this, so it would potentially never get resolved.
There is an easy solution for that: "
Though luck". Either you can proof you bought the note and loaded it or you get nothing. Plus, as they used an exchange to sent the funds, it cannot be returned.
I do agree that Polymerbit should have used multiple address so it would be a lot easier to track who paid what.