secp256k1 is "somewhat rigid" not "fully rigid":
Incorrect. The parameters _are_ minimal, there is a script to reproduce them from first principles _
in this very thread_.
Given that efficiency claims have been arbitrary.
There is nothing arbitrary about it, with use of the efficient endomorphism enabled libsecp256k1 is (AFAIK) the fastest implementation of ECDSA verification on general purpose hardware in existence, obviously if it contained an implementation of schnorr signatures over this group they'd be even faster due to being able to skip the modular inversion too, but
as far as I know it is unparalleled by any other actual ECDSA implementation with comparable security...
Nor are there any obviously strictly superior alternatives, _even today_ much less several years ago, the best contenders have a cofactor greater than one— allowing a non-prime group at a minimum costs several bits of security (e.g. equal or worse to the rho improvement from the efficient endomorphism), and depend on implementation hacks that require private keys to be in a particular sub-group, making things like multiparty key derivation (e.g. BIP32) incompatible with those implementations.