What is a good design for creating an NFT that can owned by 2 owners with different privileges?

I'm trying to create an NFT that can occasionally co-owned by a primary and secondary owner. When the NFT is first created, it will be owned by only the primary owner. So, if a token was initially minted to Alice, both the primary and secondary owner will be pointing to Alice's address. Subsequently, if the primary owner decides to borrow ETH from another person, that other person will become the secondary owner of the NFT.

The role of the secondary owner is like a guardian and he doesn't really own the token. Certain actions the primary owner performs would require the approval from the secondary owner. For instance, if the primary owner wants to transfer the token to another owner address, the secondary owner has to approve it.

A standard multisig contract doesn't work because the owner addresses can keep changing, and sometimes it's just the primary owner only. The logic is different from a multisig contract. This isn't a fractional ownership too because the secondary owner is merely an approval of the primary owner.

Since the standard ERC721 can only have one single address as an owner of each token, I created another contract called TokenOwnership which contains the state variables address primaryOwner and address secondaryOwner. There are also a a few functions in the TokenOwnership contract to perform this approval by the secondary owner.

When a token is first minted for Alice, it will deploy a new TokenOwnership contract, assign both the primaryOwner and secondaryOwner as Alice's address. Subsequently, if Alice decides to borrow ETH from Bob, the secondaryOwner will then be set to Bob's address. And when Alice has paid the loan, Bob will no longer be the secondary owner and Alice will become both the primary and secondary owner again.

However, I'm starting to think that this isn't a good idea because there are a few scenarios that can really mess things up:

1. When the token is first minted and both the primaryOwner and secondaryOwner in the TokenOwnership contract are pointed to Alice, she is the full owner.
   • She could create a malicious FakeTokenOwnership contract, set herself as owner in the state variables of the FakeTokenOwnership contract and transfer her token to this malicious contract address.
   • Later, when she borrows ETH from Bob, Bob cannot really stop Alice from performing actions even as a secondary owner because the TokenOwnership contract is a malicious one and the operations are different.
2. Every functions Alice wants to call on the token needs to be done through the TokenOwnership.
3. Minting becomes expensive because we have to deploy a new TokenOwnership contract for every mint.

Is there a better way to design and create an NFT that I'm trying to achieve?

You could create the "TokenOwnership" contract not at the time of mint but at the time of initiating a borrow. When Alice decides to borrow ETH and Bob agrees to lend it, they both enter an agreement where Alice transfers her token to a "TokenOwnership" contract, and this contract encodes the rules that you mentioned during the lifetime of the loan.

In order to make it cheaper and to remove the possibility of a malicious TokenOwnership contract, you should have a trusted factory that creates the instances as clones.