I think there are good reasons to avoid GoDaddy, but do HN-ers feel like there are registrars whose employees would never fall for social engineering techniques, or whose systems and/or processes make such a scenario far less likely?
If it's really important, you need a registrar and a registry with a Registry Lock program. With this in place, when you want to make a change, you notify the registrar, who notifies the registry, who carries out the authentication procedure and, if successful, allows the domain to be changed, then relocks.
Note that the registry may only be available to do unlock procedures for limited hours, usually business hours in their locale; that might be inconvenient if it's not your locale.
My understanding is Cloudflare can do registry locks, but does not offer registrar services standalone. Corporate oriented registrars like CSC and MarkMonitor offer it. I don't have experience eith CSC, but MarkMonitor had a pretty high minimum spend (I think 10k/year) to get on their platform circa 2013; that may have changed, also they're now owner by a VC firm, just FYI.
NetworkSolutions (boo hiss), rolled out a registry lock feature after a high profile hijacking which was why my employer had me work with MarkMonitor.
Companies with better established security infrastructure like AWS and Google make for better registrars in my opinion. They're not perfect, for example with Google you might lose your domains due to a youtube infraction. Actually, now that I think about it strike Google from the list, just AWS really.
I would love to use AWS's registrar exclusively for anything I host there, but unfortunately they have a pretty limited selection of TLDs. it's more important to me that all my domains are in one place so I can review them at once. I really wish they would support more.
it should be noted that GoDaddy also own quite a few other registrars e.g. Host Europe Group who own 123-reg, Heart Internet, Host Europe, Webfusion, RedCoruna, Mesh Digital and Domainbox
Nearlyfreespeech is more of a host than a registrar, but I feel they generally have really good practices and procedures areound security. I certainly trust them more than Godaddy. That said, they don't support a lot of .wacky suffixes other registrars might.
Namecheap is bigger, so it's possible to get support people that aren't amazing. Porkbun is pretty small and I feel like there's less room for underperforming support staff when you have less than 10 of them.
Porkbun has an extra "domain password protection" option where you can require and extra password retrieving an auth code for domain transfer. I'm not sure how much use that is though. Once someone is into the account to the point they can change NS, the real world impact is similar to having the domain transferred away (and recovered).
Instead of compromizing cryptocurrency services, they support paying for their services in cryptocurrency. That's arguably a better strategy for engaging with the target audience of crypto enthusiasts ;)
I'm not very confident about Namecheap, given how long it took them to add 2FA. It seems to me that if they cared about security they wouldn't have waited literally years to do it.