You still can't tell whether a domain was automatically renewed at expiration by the owner or by an attacker. A lot of registrars will auto-renew at the expiration date, or close enough that you can't tell from WHOIS records.
Maybe there should be some metadata that indicates whether a renewal is approved by the previous owner. That might require some extra administration by domain registrars and probably couldn't be applied retrospectively, but it would be useful.
The other place where this potentially matters is CAs issuing TLS certificates for domains that expire before the certificate does. If they detect that a domain they have issued a certificate for has been subsequently registered by a new entity, they should revoke the old certificate.
The other place where this potentially matters is CAs issuing TLS certificates for domains that expire before the certificate does. If they detect that a domain they have issued a certificate for has been subsequently registered by a new entity, they should revoke the old certificate.