FWIW I *really* dislike the idea of a hidden directory, it just feels wrong and clunky to me, and doesn't integrate well with the host at all.
I mean, ultimately we need *some* way of storing arbitrary extra metadata. The nice thing about putting that in the file system is that it's perfectly portable, has no size limitations, and conceptually quite simple.
Of course, as Joel mentioned, it's also a lot easier for that metadata to get lost.
(I'm not sure that TOCTOU is a concern? Partly because "filesystem atomicity doesn't really matter unless you're doing something dumb". But I don't know, maybe there are real issues there.)
It's worth mentioning that integration doesn't really matter for all of these attributes. I personally find that translating READONLY to mode bits gets in the way more often than not. Obviously SYSTEM and other attributes have no POSIX equivalent. Reparse points can potentially have a POSIX equivalent but I think we've seen it's not as simple as translating that directly, i.e. we still need metadata that's stored outside the symlink target.
tmpfs not supporting reparse points seems fine if that's the worry here; the reason Read-Only is different is that it's a basic feature of all Windows filesystems, not just more advanced ones (like NTFS), so it never fails on Windows, anywhere, even on FAT filesystems.
So apps on Windows can fail to use reparse points if used on a filesystem that doesn't support them, so they likely can expect it. But not the Read-Only attribute, that's why I find the current handling fine for tmpfs…
I don't think it works that way in practice; applications blithely assume they're running on NTFS all the time.
Note that even on FAT there's more attributes than just READONLY; I think SYSTEM is the other one that actually matters in practice. That just can't work on tmpfs without storing some metadata.
Frankly the answer could also easily be "don't do that", i.e. you get to keep the pieces if tmpfs breaks. I.e. we could print a winediag message if someone tries to set attributes on a file in tmpfs (or anything else that doesn't support xattr) and just ignore the request.