This is not true in general. Assuming a plasma cash chain which only supports single-input transactions as well as single-beneficiary exits, it is possible to require exits to put up a bond. We can analyze the possible attacks against someone in this design and the only one that shows its security level to be below that of the root chain is a direct attack on root chain liveness.
my current guess is Gluon is as secure or more than MVP/Cash.
I think you already understand this from your analysis, but it is worth pointing out that comparison of security of these systems is multidimensional, e.g. one way of breaking it down is to consider
- assuming the child chain mechanism does not get compromised, how can users be attacked?
- assuming the child chain mechanism is compromised, how can users be attacked?
- how likely is it that the child chain mechanism is compromised?
It seems like the answer to (2) is that in the case that the child chain mechanism is compromised, i.e. the PoS block producers withhold data and the 10% token vote threshold is not reached, you do not attempt to provide any guarantees for users?