The sig from the user is only valid for a tx that puts the money in a regular submarine swap address, so that's the only thing the server can do with the money, whereupon the user has 2 weeks to sweep it back (I use relative timelocks). So the "sad path" is that the server tries to sweep the money, has to wait, and the user recovers it using the secret. Moreover, in my demo implemention, the user's sig also depends on the existence of another utxo which gets spent whenever the user sends or receives money -- so the next time the user does that, the old sig becomes invalid, and the server can't use it.