I’m not sure why there is a misunderstanding here, especially given that you work for a wallet provider. The attack is as described: an attacker forks, mines invalid blocks, which are caught by full nodes, since they validate the contents of blocks, but not by the light client - assume for simplicity that the client connects to the malicious node and doesn’t do anything more than calculate PoW. The SPV client trusts an invalid blockchain, fault occurs. Coda is designed precisely to avoid this problem, and any solution that requires trusting full nodes, because it provides constant time verification of all of the contents of every block.