Do you mean arbitrary output address that is unknown at commitment time? Otherwise, I think the current CTV vault does allow abort/allowing from "stage area" to "hot area" or abort to "rescue area". While general purpose recursive vaults will allow funds back into same "cold area", I think it is possible to also move funds back into same back under the same cold keys with a bounded recursion CTV provides.
Moving funds back to the initial key that the attacker already has demonstrated the ability to release from doesn't seem useful to me. -- though that is a thing the presigned example I gave doesn't do.
Finally, on the usefulness of vaults; based on my own observation of all the hacks (bitcoin and wider crypto), in most cases it is not the key that is stolen but rather the authorization process or UI/UX hacks or something else up the signing stack is compromised. Having reactive security to "undo" feels valuable in this scenario.
Is there an example of a hack that has been defeated by one? It would be interesting to see the exact workflow.
If the scheme is just released into a 'hot area' and the hot area keys have the power to send the coins anywhere, presumably the attacker will attack the hot area keys and wait for funds to be moved there and instantly sweep once they're there. If the hot area keys are presumed secure, then they can be multisig on the release from 'cold'.