Graftroot: Private and efficient surrogate scripts under the taproot assumption

In a recent email conversation on the bitcoin-dev mailing list, Daniel Edgecumbe proposed that binding grafts to a particular transaction does not necessarily require aggregation. He suggests that signing H(txid, script) instead of H(script) could potentially work, but he is unsure if this would break aggregation. However, knowing the txid in advance is required for this method to work. In cases where the txid is already known, a graftroot sighash flag can handle it, but usually, it is not known. Signing a transaction spending the multisig coin to the graft is an alternative solution, but it is not atomic and cannot support scalability or privacy. Additionally, it does not work if the graft was not created after the fact. The aggregation approach has the advantageous property of working just in time even on grafts created in advance.