There are two separate options here. One is download everything, keep 10% for serving. That fully meets the "validate everything" criteria.
But also the second option, the 10% download, I think might be secure, though I'll let the crypto guys decide.
If you trust the full header chain you've downloaded, and if all the blocks you store and serve validate internally and against the header hash, where's the attack vector? For wallet use it's definitely more secure than SPV, but yes, getting the whole UTXO set will require its own solution (haven't read in detail, but
here's a related idea).
You don't expect to connect to hundreds of nodes and for hundreds of nodes to connect to you right? You are getting the blocks from several peers at the same time.
I don't understand where you see the problem. It's not much different than how it's done now. Just in the case of a 1/10 split, 1/10 of the nodes will tell you "I don't have this block", and will likely refer you to another peer they know that does have it. Just another hop or two.
So the nodes would be relying on a central server to be providing them with the info? What about the peer to peer in Bitcoin?
Kad and BT DHT don't rely on servers, they're distributed. And there you usually find a piece of data that's held by 1 in a million, not 1 in 10.