Basically yes. Although I think you can also do the simulate bit, since the random hash depends on the current block hash and the tx hash, so you could just simulate the transaction and see if you like the result and only then send it.
Hence this needs to be done in separate transactions like the new docs say, or async cross shard calls need to always be involved. Either way, the solution against this kind of attack is not pretty regarding UX
Basically yes. Although I think you can also do the simulate bit, since the random hash depends on the current block hash and the tx hash, so you could just simulate the transaction and see if you like the result and only then send it. Hence this needs to be done in separate transactions like the new docs say, or async cross shard calls need to always be involved. Either way, the solution against this kind of attack is not pretty regarding UX