An attack on proof-of-work wouldn't let you rewrite arbitrary transactions. At most an attacker could exclude certain recent transactions—most likely their own—reverting payments which were previously deemed "complete" and replacing them with conflicting transactions. All transactions still need to be signed with the proper keys, however, so the attacker can't just lay claim to others' coins.