Right, but my point is "not DNSSEC-signed" does not seem to be the same as "free of configuration errors that prevent resolution of the name with DNSSEC enabled".
I tried looking again and found that it is systemd-resolved's error at least in the developer.apple.com case (the Verisign one is a bit different but potentially might also be a systemd-resolved issue). It seems the issue is that the servers for g.applimg.com are completely DNSSEC-unaware and querying the DS record somehow doesn't work the way DNSSEC wants it to even in the "no DNSSEC" case, however the parent zone correctly indicates that there is no DNSSEC so it should be accepted.
It sounds like systemd-resolved has had a bunch of issues like that where it fails (or previously failed) on things that would be an issue if DNSSEC was enabled but shouldn't due to DNSSEC not being used. I'll stop blaming DNSSEC.