We examined the nullifier designs more closely, and determined that the
previously-selected design was actually fine, but for a somewhat-subtle
reason: even though an adversary with knowledge of a victim's full viewing
key could choose psi to cancel out Hash_nk(rho), the nullifier still
directly depends on rho via the note commitment.
The previously-selected design was broken because an adversary with
knowledge of a victim's full viewing key could perform a Faerie Gold
attack: given knowledge of nk, they can choose psi to cancel out
Hash_nk(rho) and cause a collision.
Some of this content may move into the concepts section, or possibly into
a dedicated specification area, but for now the design section includes
our choices alongside the reasoning.