I didn't realise that the ETag came back in the final POST for the multipart upload - well spotted.
I've had a go at implementing that here - please give it a go.
v1.62.0-beta.6731.63bf57580.s3-multipart-etag on branch s3-multipart-etag (uploaded in 15-30 mins)
It isn't a good check you are right.
However multipart uploads are protected in a number of different ways - the best probably being that rclone sends the Hashes of all the individual parts in a list at the end in the last POST request so the provider should be doing the equivalent of that check when rclone requests the multipart upload to be completed.
Adding this check when using --s3-no-head is very nice though and a tiny bit more certainty that things are correct 