Well I agree here. If the checkpoint challenge period is long enough (2 wks, for example), then everyone can exit if a withheld checkpoint is proposed.
One way is to avoid priority queue as much as possible to avoid emergency mass exit (perhaps cannot avoid it :). Instead just halt chain and turn into “withdraw only mode” for now, and user can exit without urgency or priority. One can do that in one transaction with vote sigs in short period (no need > 2 weeks. Around 2-6 hours would be enough for that).