That is correct. Basically you have to get lucky that after submitting the transaction a new block would be confirmed within 1-2 minutes which I think is around the timeframe what it will take for a top consumer GPU to bruteforce the private key.
I'd be curious to know if it is possible at all to "securely" send the funds of these puzzles or if there is some hard limit that requires the pubkey to be published with the transaction.
I'd be curious to know if it is possible at all to "securely" send the funds of these puzzles or if there is some hard limit that requires the pubkey to be published with the transaction.