The protection for this is in certificate transparency, as Chrome will throw up a warning if a certificate is valid other than it never showing up in the CT logs. See: https://no-sct.badssl.com/
CAA combined with this CT requirement means that businesses serious about issuance can set up a service to watch CT logs and get notified every time a certificate is issued, so any would-be CA attacker would have to be pretty quick with their attack if they wanted to impersonate fb.com, and that CA would be questioned by the CA/B community pretty quickly for breaking CAA policies.
They shouldn't. CAA controls issuance, but the browser isn't performing issuance.
It's completely allowed (a bit paranoid, but allowed) to set CAA to forbid everybody from issuing except when you are actually getting new certificates.
But now your hypothetical "CAA checking" browser thinks the certificates issued this way aren't valid, because when it visited, hours, weeks or even months later, the CAA record did not allow the certificate it saw.
CAA combined with this CT requirement means that businesses serious about issuance can set up a service to watch CT logs and get notified every time a certificate is issued, so any would-be CA attacker would have to be pretty quick with their attack if they wanted to impersonate fb.com, and that CA would be questioned by the CA/B community pretty quickly for breaking CAA policies.