You would think so, but it turns out that this ("subdomain takeovers") is a very common mis-configuration for a lot of *aaS services. Enough so that some bug bounty programs won't pay out much for it or at all because it happens so much and they don't consider the shared-suffix issue very important.
On the provider side though, requiring ownership verification (txt records, etc) introduces friction on the on-boarding process. It's likely any reasonably competent provider that doesn't implement verification has had a serious internal discussion about it and decided it's not worth thinning their funnel for.
Yeah like I said in another comment it seems like it's normal across these paas platforms.
> If you point your domain to heroku having not set it up first, that's on you...
How is it on you? it's possible a previous owner had a heroku app with that domain attached to it or someone just added it to their app before you setup a heroku app.
On the provider side though, requiring ownership verification (txt records, etc) introduces friction on the on-boarding process. It's likely any reasonably competent provider that doesn't implement verification has had a serious internal discussion about it and decided it's not worth thinning their funnel for.