We can confirm that Aave v3 was designed with this potential problem in mind, making it straightforward to recover assets from specific key contracts, such as the aforementioned Pool.
As correctly described by the OP, a steward pattern can be used, encoding the exact amounts to rescue, and to which the Aave Guardian in Avalanche will need to grant POOL_ADMIN permissions for only that action.
In order to follow good practices, and even if from a high-level perspective the case seems clear, for full transparency with the community, we would like to request the following from the Platypus team:
- Proof with all different amounts, addresses involved, and public analysis (e.g. security teams who analyzed the exploit) that the amounts belong to the Platypus protocol/users.
- Having a representative of an independent security team confirming the facts and legitimacy of the claim.
- Creation of a Snapshot vote (somebody from the Aave community can help too) for the Aave community to authorize the Aave Guardian for the rescue.
From our analysis, we find fully legitimate the claim, but also believe that full transparency is a must in this kind of situations.