I totally agree with the first paragraph … the centralisation risk is minimal at this time due to the well known honest actors involved. So keep the switch for this iteration of lelantus and have a switch on Spark that can be reviewed after a minimum of say 1 year.
For the upgrade transfer of funds, have we thought enough if it is possible to assure the supply is correct - the code (on github) being the prover - yet at the same time have a non-transparent transfer transaction.
Old --------> Spark
|
V
supply count