You need those confirmations because PoW is probabilistic. Any entity with a large share of hashrate, even if it's less than 51%, can selfish mine and force block reorgs on any PoW coin. Their successful attempts increase the more hashrate they have, but it doesn't require anywhere even close to 51% to start disrupting the network.
Discussion
Agree, the problem is for how long can the attacker sustain a “longer” branch.
1 hour of desync is accounted in the design, a full week is no bueno.
Then at 51% their branch will accumulate more PoW over long periods of time.
Exactly Qubic couldn't sustain it. Even during the attack you just had to wait for more confirmations.
My point was that for example Foundry alone could selfish mine Bitcoin already and it would be the same situation as Qubic and Monero. They have about as much hashrate as Qubic had at it's peak as with Monero. Just because they haven't done it yet doesn't mean they don't have the ability to. Incentives make it unlikely, but selfish mining inverts incentives. It's more of an economic attack.