But AFAICT there are multiple perfectly reasonable variants of vaults,
too. One would be:
1. master key can do anything
2. OR normal key can send back to vault addr without delay
3. OR normal key can do anything else after a delay.
Another would be:
1. normal key can send to P2WPKH(master)
2. OR normal key can send to P2WPKH(normal key) after a delay.
I'm confused by what you mean here. I'm pretty sure that BIP-345 VAULT handles the cases that you're outlining, though I don't understand your terminology -- "master" vs. "normal", and why we are caring about P2WPKH vs. anything else. Using the OP_VAULT* codes can be done in an arbitrary arrangement of tapleaves, facilitating any number of vaultish spending conditions, alongside other non-VAULT leaves.
Well, I found the vault BIP really hard to understand. I think it wants
to be a new address format, not script opcodes.
Again confused here. This is like saying "CHECKLOCKTIMEVERIFY wants to be a new address format, not a script opcode."
That said, I'm sure some VAULT patterns could be abstracted into the miniscript/descriptor layer to good effect.