Bill, thanks! You explained the issue much better than me. Yes, the problem is that, in my example, the operator was allocated
1.2.4/22 but the attacker is announcing
1.2.0/20, which is larger than the allocation, so the operator cannot issue ROA for it (or covering it). Of course, the RIR _could_ do it (but I don't think they do, right?). So this `superprefix hijack' may succeed in spite of all the ROAs that the operator could publish.
I'm not saying this is much of a concern, as I never heard of such attacks in the wild, but I guess it _could_ happen in the future.