It also checks if the inputs in the new blocks transactions are known about, gathered by the above process. These would be payments leaving the multisig address.
By parsing blocks for transactions (blocknotify) instead of just learning about a new transaction (walletnotify) at least the transaction has one confirmation. This avoids the malleability issue altogether.
I think we are doing the same thing. I use walletnotify and disregard transactions with 0 confirms (walletnotify executes the callback both at the time a new transaction is accepted by a node on the network and then again when the transaction has 1 confirm). When I am notified of a transaction with 1 confirm, I see if I have it in my database. This is the easy case when the transaction ID was not altered. If I do not recognize the TXID, then I try to match it up against transactions I have created in my database that have yet to be confirmed once.