Looks good, my main concern is if there are only a few big signers they can collude to reveal all users keys, if they are greater than threshold T, non colluding signers will not even know that keys are compromised, even the user will never know if no obvious signatures are made, and they will go on using their key as if its good, while all their private comms could be decrypted.

It's still better than relying on one server, it's just the worst case scenario I could think of.