No, I take your point–more actions on chain = more attack surfaces. I think the mitigant is that the barrier to bringing any of these live is sufficiently high and the stakes similarly sufficiently high that only very simple motions and only extensively tested motions could make it to production. The idea of this committee is that it should do very very little but what it does do should be abundantly clear and if it makes it through to production, it is a candidate to being a forever rule encoded on-chain.
The other mitigant is that this is outside of the scope of the protocol itself, considering the scope is limited to Aragon treasury funds. It’s true stETH surplus accumulates in this treasury but the extent of the responsibility of the committee is limited to just that ringfence and no further.
Fundamentally I take your point, generally yes more attack surfaces equals more risk. This proposal asks token holders whether they weigh the benefits of more explicit principles, pathway to ossification, etc. over the risk of attack vectors emerging. The upside is not necessarily a monetary one but a choice to do more things in an ossified way rather than off-chain. Personally, I think when it comes to a path to taking human decision making out of the equation, the tradeoffs are generally worthwhile. But of course not at any cost (risk must be mitigated as much as possible etc.).