Unless the negative valued customer and the surrounding customers never logged in... But thats a limitation of the scheme that can't be avoided. If a user never logs in you could just steal just their balance (and correctly set it to zero).
You also must make sure that all customers are seeing the same root, and that you can't do funny business like constantly update it to swap out which customers you're robbing. (e.g. it should be a daily or weekly updated thing).
You've got a point, the root of the tree could be made available to the main charting sites.. or even weekly written into the blockchain.
As for the negative values, I wasn't thinking of robbing anyone, but just pretending you are solvent when really you're not. I'm not sure I see what you mean by "swap out which customers you're robbing", could you expand?
E.g. say you have two customers with a balance of 100. You report the total is 100— so 100 BTC has gone missing.
When customer A logs in you give them one root and show them their balance (and B has a balance of 0). When customer B logs in— oops balances just update— you show them a new root, and in that one B has a balance of 100.
So you need to pin the commitments strongly enough so that the prover can't swap them out at will.
You also must make sure that all customers are seeing the same root, and that you can't do funny business like constantly update it to swap out which customers you're robbing. (e.g. it should be a daily or weekly updated thing).