Agree. What I wrote is explicitly about testing the pubkey of the event against the allow list. The pubkey is the signer and that should not happen. The p-tag can be used like you guys do to run the allow list. That's fine. You don't even need auth in those cases. 

My answer to nostr:nprofile1qqs0kymx4027fjf2322s0yduwt23hh3fr2p42h9jcc56jtld67qx3tqpr9mhxue69uhhyetvv9ujuumwdae8gtnnda3kjctv9uq3jamnwvaz7tmvd9nksarwd9hxwun9d3shjtnrdakj7qgmwaehxw309aex2mrp0yhxummnw3exjcmgv4ejummjvuhsa6kd6c   was explicitly about the use of the pubkey and mixing signing and auth roles in one key.