So if I have a holding with custodian=alice and owner=bob and I call its Transfer choice and I specify a newOwnerAccount as custodian=charlie, owner=bob,
(The Transfer choice requires authorization of multiple parties so let us say I have used some workflow contract to collect signatures as necessary)
The default implementation of Transfer which is transferImpl (https://github.com/digital-asset/daml-finance/blob/97dbed69781cd96cea60507319bfedaad1e7d60e/src/main/daml/Daml/Finance/Holding/Util.daml#L38) will happily allow such a transfer. I verified this with a little test script and I note that the new custodian would often be required to explicitly sign this transfer, but not necessarily, e.g. if their authority is available in the transferImpl execution context for another reason (such as being the owner of the holding or the controller.outgoing of the sender account, or any other reason that is not explicitly authorizing the intrinsic Account.Credit).
Could you help me explain the paradigm here?. I am thinking that a Holding represents some kind of digital asset or cryptocurrency, and to me, the requirements of that would be 1) participants have consensus on the amount, 2) participants validate that there are no double spends and 3) participants know what the minting/burning rules are and validate that they are being followed. If the paradigm is that a holding can be transferred to another custodian, and from there to another, and from there to another, etc., combined with the fact that a custodian can freely mint and burn Holdings with custodian=them, then generally any DAML party on the network can mint or burn from the money supply and the privacy model means that such activity would generally not be visible to others.
Of course as a custodian one could protect the value of the Holdings one is the custodian of by refusing all incoming transfers from currentCustodian=notMe, newAccount.custodian=me, but if that is the solution then it seems like the Transfer choice should be enforcing that, really, in order to match the implications of the name “Transfer”.