Yes—this is precisely how a real spam attack works. Attackers craft fake public keys that aren’t valid secp256k1 points to create outputs that appear normal but cannot be spent. Since these counterfeit keys don’t require real signatures, the outputs are smaller and cheaper to include in blocks, making it a low-cost way to inflate the UTXO set and shift storage burdens onto full node operators. That’s why validating public keys at the curve level is essential—it closes this loophole.