Is that really a problem? XSS attacks usually involve letting site's visitors add arbitrary html/js. The account owner being able to is more of a feature.
XSS attacks aren't the only thing to be worried about. As noted above, you could buy subdomain like "support.micro.blog" and trivially phish people's micro.blog credentials, for example.