As I understand it, segwit transactions were designed to be backwards compatible. If I understand correctly, they did this by designating the transactions as "anyone can claim", which meant that non-segwit clients would still accept the transactions. It kept from breaking consensus on the whole network. Extra rules were added which are ignored by non-segwit clients, but processed by segwit clients, which on the BTC chain basically prevents that happening.
Because bitcoin cash doesn't validate these rules, I think what ends up happening is that the attacker is taking transactions from the BTC blockchain (as they were validly signed) that send money to segwit addresses, which anyone can spend.
Now, it's entirely possible I'm completely wrong, so take this with multiple grains of salt.
Yes that is kinda how Segwit works.
However you missed the part for BCH.
They put the miner claim into the protocol.
The attack was a miner using the said code to take the coin for themselves. The code allowed it. However it was not "right" so the 2 pools roll backed the tx. This is the question it sounds alright but dangerous precedent for them. It wasn't so much a bug but ethics.