Right. It’s still a bit of an implementation detail though. There could be a ledger bit on the MD itself that would automatically be turned off after each transaction, or there could be an option on the API that by default be set to whatever the last transaction was set to. These would work identically. Anyways, as you said, it’s probably best that it would be kept off by default. The cases where you need to keep it on for multiple transactions can be handled by the applications layer.
In the aid example, if someone wanted to buy food, they could initiate a transaction, and since it’s multisig, the aid organization would also have to sign it. If the transaction wasn’t initiated with the ledger bit, the aid organization could just that they won’t sign until the transaction is initiated with the ledger bit set. This could also all be handled by a wallet, so they wouldn’t have to think about it unless someone tried to cheat and then there would be some message in the wallet. If the coins need to be transferred between multiple parties before moving out of the system, the aid organization could keep itself as an owner through multiple transaction, so that their signature would always be needed, and just change the other owner.