Said attack is not possible in NIP04 due to signatures. Talking about attacks without knowledge is easy. Is it a bad spec? Mostly. Is it so bad that we have to rip out every use case? Probably not. Things like padding can be retrofitted into existing NIP-04 use cases. For example JSON lists can use space padding.