If the entire 'hash' were set to zero, someone could instantly steal anyone's coins
How?
which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found
What is that vulnerability? Is the case when z=0 somehow more dangerous than z=1? If it is, I didn't expect that, so I don't know what should I "ethically report".
Also it is not a bug, it is a feature.
If it is a feature, then why it does not work in the same way as for non-Segwit addresses? And if it is a feature, then why it is
disabled in Taproot? Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.