They can use the funds, because even though the ecash is locked to the receiver's pubkey, the bitcoins are not. The ecash is a liability, a credit, backed by an asset, btc. Hermes can run off with the asset (btc) and refuse to honor the liability (ecash).
I'm assuming Hermes isn't part of the Federation, just a service provider operating in the mint.
The mint will only create the ecash after the sats are in its control. So either Hermes steals the funds upfront (no ecash minted, nobody knows they stole unless the sender talks to the recipient), or they'd need to collude with the Federation.
Oh I see what you mean now. I think you are saying Hermes is non-custodial because they don't have your btc, fedimint does. Is that right?
If so, that doesn't make it non-custodial. Imagine if instead of using fedimint Hermes showed you a "deposit address" to coinbase. And then they said "You see, we are non-custodial because we don't have your btc, coinbase does."
If you tell users "non-custodial" when it's really all a frontend for a custodian's api, you're lying. Tell users the truth so that they are informed. They may be willing to trust that person or group with their money, but the wallet should definitely not lie about the trust model by calling itself non-custodial.