Those are addressed by the QUIC specification, by having lots of encryption. The whole content of QUIC packets is encrypted. You can't really do a lot with connection IDs. And for most of the packets you can't even observe the full connection ID, since an abbreviated version is sent.
Can the transport path be hijacked from a single captured packet? As in capture a single packet, scribble an address and the connection now goes via Pentagon or China.
No -- Mosh is careful to make sure that a transient network attack can only result in a transient application-layer consequence. So a single misrouted IP datagram can't permanently affect the connection. Mosh does this at the cost of having client-only mobility; the client keeps sending to the same server address for the life of the connection.