I thought the only things a user need to provide are:
  • User name
  • Password

If these match, access is granted.
I don't think there is a security hole. I think it is just about the way the system is (ab)used by users and administrators.
I think we should just stop creating local user accounts (OK, maybe one alternate local Admin with password only known by the IT Admin team). If users need to log on disconnected from the domain, I see (almost) no problem using the cached user profile.
Maybe it would be better to tell why a user or an administrator thinks he needs a local user and evaluate if it can be done with a domain user.

What I don't know is if the InGroup() will work. But I think one should use a domain user ID to evaluate membership of domain groups! That logon script should only run if using a domain user name and if connected to the domain. And AFAIK that is just the way the legacy logon script and the GPO Startup/Shutdown Logon/Logoff scripts work.