But I still can't know if the decrypted plaintext is correct. That's what I'm saying. The signature tells me nothing about the plaintext
Discussion
yes, this is correct, you would have to have a sentinel to enable this, the first byte even it could be, or maybe better first 4 bytes to eliminate the chances of decrypting the same by both
also, yes, you don't need that bit for signature verification, that's one of the neat things about Schnorr signatures
but it does not apply to ECDH
two points though
one, having to decrypt the whole message and then discover you need to flip the bit is wasteful of computation and time
two, it still doesn't fix the problem of two 3 key users with software imputing 2 keys