[judge2020]

> if you have one bad CA they can sign any domain even if they shouldn't -- but in this case it prevents what you're worried about.

This is why certificate transparency is a thing and most browsers require it for public internet domains[0,1].

0: https://chromium.googlesource.com/chromium/src/+/refs/heads/...

1: https://support.apple.com/en-us/HT205280