#1 isn't strictly true, you don't need to be "always online", only online at some point within the locktime (normally 3 days right now).
You can also hand your "revocable delivery" transactions to a 3rd party (or multiple 3rd parties) who can monitor and broadcast them in the case of cheating, but can't actually spend any of your money themselves.
So you could have a group of people watching the blockchain always online that can punish non-compliance, but you yourself are only online when you want to transact.
And you could have multiple "watching" services that can prevent any one "watching" service from betraying you.
Obviously controlling your own "watching" system is most secure, but the vast majority of people aren't going to want to do it themselves.
And again, if the biggest worry is that someone will pay off multiple "watchers" then publish a previous version of a channel to steal money from you and hope that your proper node isn't online at any point during the locktime (or DoS your node to prevent you from seeing the bad transaction) to punish the thief and "steal" all the money back. I think we are doing a pretty good job!
Transactions in LN are just as "reliable", and don't introduce centralization in any meaningful way.
As for the "modeling", I'm not sure what you want. The threats have been outlined in the whitepaper, and successfully tested in some capacity on testnet. And now they are being tested as lightning network is being rolled out on mainnet. There might be some formal "threat modeling", but i'm not familiar with what that would even look like or mean.
No better way to "threat model" than to try it out in a hostile environment where bad actors that have some kind of "exploit" can already use it to gain BTC.
> As for the "modeling", I'm not sure what you want. The threats have been outlined in the whitepaper, and successfully tested in some capacity on testnet.
> No better way to "threat model" than to try it out in a hostile environment
You can also hand your "revocable delivery" transactions to a 3rd party (or multiple 3rd parties) who can monitor and broadcast them in the case of cheating, but can't actually spend any of your money themselves.
So you could have a group of people watching the blockchain always online that can punish non-compliance, but you yourself are only online when you want to transact.