I keep reading such explanations but to be clear, MCAS is always powered on. When and where it functions is defined by software alone. As such this is safety critical software and should meet the highest assurance levels. The designer did not wish for the aircraft to crash and may have set all the protection methods they could think of as a credible design goals. We have yet to learn if MCAS, as implemented, did respect the AP selection, flap configuration or anything else the designer had in mind.

MCAS being 'live' when it should not have been remains a plausible explanation. It ticks all the boxes for a latent failure - no direct indication to the crew, no failure modes displayed, no routine interaction with other systems, no BITE or similar and does not drive the stab at any point during a normal sortie. As long as it thinks the AoA is ok it does nothing.

Time will tell if functions like trim cutout, AP cutout, configuration cutout etc actually work. Given that the system seems to be blissfully unaware of the actual flight dynamics beyond simple unmonitored raw sensor data and will willingly fly the aircraft into the ground, I remain reluctant to accept the claimed operating envelope as gospel.

I guess I have spent too many years flight testing aircraft and my level of 'trust' has been swamped by 'verify'. As an aside, flight testing has become inconvenient in the last 15 years or so. We get more facetime and interaction these days post-crash - everyone is 'all ears' at that point. We need to get flight testing and training verified before an aircraft is released to the line. Kicking over aluminium at an accident site is just too late.