How does turnstile defense against counterfeiting work

Does this include the funds of people that have legally/honest their ZEC funds in the pool?

For example: x people have ~190,000 ZEC within the sprout pool. The attack manages to withdraw let’s undetected 3x 50,000 ZEC or a total of 150,000 ZEC. At the least attempet when he tries to withdraw the 4th time 50,000 ZEC the balance would go negative and ALL funds frozen, including the ~190,000 ZEC of the people that didn’t even touch them meanwhile. Is this a correct assumption of what would happen in such case? Or how would it play out for these people holding ZEC in the sprout pool?