At the moment it's possible to just insert any old signatures. One could even grab existing signatures from past transactions; the verifier would not be able to tell the difference. This means the protocol is broken, in a sense, because the prover does not need to have access to the private key of an address in order to claim it's funds. There are a few possible ways to resolve this:
Use private keys as inputs to the snark (instead of signatures) - this is largely incompatible with custodian's internal systems since their private keys are locked behind specialized wallet software
Expose the signature message as a public signal in the snark system - this will allow the verifier to check that it contains sufficient randomness (such as the block hash at some time)
At the moment it's possible to just insert any old signatures. One could even grab existing signatures from past transactions; the verifier would not be able to tell the difference. This means the protocol is broken, in a sense, because the prover does not need to have access to the private key of an address in order to claim it's funds. There are a few possible ways to resolve this: