First of all on behalf of FLOT I thank you for your support.
Multisig is tricky enough to deal with using just one address. The best way would be to use different permutations of public keys to generate multiple address; this can reduce some unlikely user errors in using Cointoolkit (fat fingers, not verifying the transactions). The security gain, though, is marginal, and comes at a cost - both the community and FLOT need to keep track of more than one address at a time, which introduces other forms of security issues.
If we use different sets of public keys altogether, this also introduces some key management issues, both by FLOT and the community, without much security gain. A lot of that is because of the overhead in agreeing upon a newly formed address (which already has to be done for every custodial grant, btw), and that nud and bitcoind don’t let you segregate private keys and choose a specific key that you use to sign a transaction (not necessarily an overall bad design in itself).
Personally I will reserve the first option as a possible solution, but it comes down to whether FLOT has the right training in doing the right thing. To address this concern, we may be able to do multiple practice runs in burning the 0.49 NBT “test balance” without touching the 20000 NBT output. @jooize @masterOfDisaster @ttutdxh @woodstockmerkle want to give it a try?