I figured out a new mitigation strategy pretty much immediately:

Keep a single byte in the header, for use with the Bloom filter. When hashing the events, salt it with this byte at the end. If an attacker fills up a Bloom filter (or drives it above a threshold), increment the byte.

Anyone using the Bloom filter for lookup only needs to salt their event with the byte, and proceed as usual.

That multiplies the attacker’s burden with 256. The node implementation could of course use any byte array, making the potential cost infinite, by having nodes doing more hashing in response to an attack like this.