In most cases yes, at some point the attacker will want to turn his tokens into cash and at that point he is at the mercy of centralised services who gets to decide.
As long as there are enough centralised services with enough volume that agree such tokens are tainted the decision is effectively made for the entire ecosystem.
Legally, intent matters, a contract is above all "a meeting of minds", and the technical nuances of what exactly the smart contract says only matter if it helps to establish what exactly that intent was - if the contract result clearly does not match the intent (or if the intent is invalid e.g. the contract was written with an intent to deceive) then what the contract says can/should be overridden.
Just as in real life getting someone to sign on the dotted line with the intent to cheat them is fraud that can invalidate the contractual obligation, technical exploitation of a smart contract is the same. As you say, it might not even be illegal, details matter, but it might also well be a felony.
I don't think "everybody thinks" that. Smart contracts just give you an alternative set of risks which might be more useful in certain circumstances. They are also not immune to having legal consequences either.
Here's an old computerphile video: https://youtu.be/UlLN0QERWBs
Etherscan provides such a service for ethereum: https://info.etherscan.com/ethprotect/
As long as there are enough centralised services with enough volume that agree such tokens are tainted the decision is effectively made for the entire ecosystem.