For the sake of accuracy, it’s worth pointing out that points 2 through 5 were implementation bugs resolved in https://matrix.org/blog/2022/09/28/upgrade-now-to-address-en.... They are not current attacks, despite the present tense used to describe them in the parent post.
Also note that in the review of the ecosystem the Matrix developers, i.e you :), also discovered further clients vulnerable to variants of attack #3 and assigned CVE-2022-39252, CVE-2022-39254 and CVE-2022-39264.