As with Alice's transaction, Bob's transactions can also be rebroadcast by anyone after they expire from mempools.
Yes for sure, Bob's transactions can be rebroadcast by anyone. Yet any node doing is still facing some "efficient selection" of package to rebroacast issue in a world of limited bandwidth / cache space, easy inadvertently to increase DoS surface.
Mempool expiration is an entirely optional, node-local, feature, and I'm sure plenty of miners have disabled it for obvious economic reasons.
I hope so, I think the presence or absence of expiration in a miner mempool one can probe it from the outside. I don't remember that mempoolexpiry can be turn off completely without custom patchset.
Also, transaction expiration should be based on the oldest transaction in a group of dependent transactions. IIUC, Core does not do this already. But if it did, that attack wouldn't work as using the about-to-expire transaction would reset the expiration timer.
No, I think it should be the most recent transaction in a group of dependent transaction.
Though yes, that variant of the attack wouldn't work anymore as the "group" the expiration timer at each replacement-in of Bob's transaction(s) would be reset. The other variants of the attacks would be still plausible, however the one based on expiration time is by far the dumbest one.
mempoolexpirycan be turn off completely without custom patchset.