Of course. But you don't need internal public key, to move the coins. For example: what is internal public key here? https://mempool.space/tx/f0e7351b7829826057a984fde7c03d1c67e8235224c5e3791122a072d1e1a3ff

As you can see, nobody knows, or uses any internal public key for some addresses, and coins are still spendable. Which means, that if someone will get the private key to the external public key, visible in the Taproot address, then it is all that is needed, to move these coins anywhere, under the current consensus rules.

Of course, in the future, that may be blocked or restricted (so using untweaked keys is a bad idea), but now it isn't blocked, and it may never be (because then, there is a risk of confiscating some coins; it is a similar case, if someone would want to invalidate old, random P2PK, where HD wallets were not yet used). And claiming, that "all keys have to be tweaked" is a similar thing, as claiming that "everyone have to use HD wallets", which is simply not the case, when it comes to enforced consensus rules.