[dijksterhuis]

Yes. It is possible to generate one adversarial example that defats multiple machine learning models -- this is the transferability property.

Making examples that transfer between multiple models can affect "perceptibility" i.e. how much of change/delta/perturbation is required to make the example work.

But this is highly dependent on the model domain. Speech to text transferability is MUCH harder than image classification transferability, requiring significantly greater changes and decreased transfer accuracy.

I'm pretty sure there were some transferable attacks generated in a black box threat model. But I might be wrong on that and cba to search through arxiv right now.

edit: https://youtu.be/jD3L6HiH4ls?feature=shared&t=1779