I don't understand why you need to protect users from operator defaults. This seems to be the main premise for the smart contracts, no? Also I don't understand how/why paying with lightning exposes identity of the sender. Ecash seems to also solve this already.