This is true, but the Russians have demonstrated that combining this with jamming they can make this still possible (along with other tricks). Obviously there's going to be some back and forth movement via countermeasures and updates, but the west has only very recently woken up to these threats.
The key issue here is bypassing the time synchronization requirement during the cold start. This has always been a problem with OSNAM, and it's impossible to solve completely. The workaround is clear, the receiver just needs to do an external clock synchronization without relying on GNSS. Something like NTP is more than sufficient for that.
The attack in the paper also assumes that the attacker has complete radio control and can jam ALL the signals. If the receiver gets even one fully authenticated stream from an actual satellite, then the initial timestamp spoofing will fail.
Replay attacks on tracking receivers are not particularly powerful either, they will be apparent within 10-30 seconds.
