Are you the posting police ?
You half answered my question. Nobody has answered the question fully IMO and it looks to me like a serious security hole.
If someone doesn't answer your question to your satisfaction you should follow up in the same thread instead of creating a new thread in an entirely different forum.
It's not a security hole. You're making a mistake setting up the wallets.
You said IF I setup my watch correctly with 2 xpubs THEN it will work correctly. Granted, that's correct and I did make a mistake there. But an attacker does not have to do that. They setup watch with 1 xpub , as I did, and then only required 1 sig to drain from both offline 2of2 multisig wallets ! What's the answer to that ? That's quite serious IMO
I set up the offline multisigs correctly, because it says 2of2 in each header and 2of2 of the default multisig in electrum. I apologise in advance if I have made a setup or assumption error, but I don't think so.
Maybe you've made an error in setting up the watch only wallet which is why signing with just one offline wallet is sufficient. I've explained what a watch only wallet with just one xpub means on stack exchange. Perhaps your watch only wallet corresponds to single sig addresses and not multisig ones or it isn't really a watch only wallet. You can view the addresses via view menu > show address and then switch to addresses tab. Compare them with the addresses on the offline multisig wallets. You can also search this tab using ctrl+f. Are the addresses the same?