I was thinking about how its a bitch to setup TMP for the majority of people like buyers who doesnt have any real benefit from multisig, if the admin controlled the buyers secret key for the transaction could he then change the flow of the transaction so that the escrow went to him? Or could he only change between buyer -> seller to seller -> buyer?
I'm not entirely sure if I understand your question right, but TMP would need just need two keys to sign over a transaction in their favor. They never get the private key from either the vendor or the customer so that would actually be impossible with their current system. However if they wanted to scam it would be as simple as intercepting public keys and replacing them with theirs from either side and then signing the transaction over to them instead of the vendor or customer. But as soon this happen people would find out pretty fast. And I mean really damn fast. The multi-sig protocol (BIP32) which allows the use of TMP's escrow is set in stone, if signed transactions don't verify, have no money left on them or can't be broadcasted there would be no excuse which TMP could use to talk themselves out of the situation, it would be pretty apparant if they would scam and they wouldn't be able to scam very much.