[vbezhenar]

I don't follow your threat model.

Let's say that browser is fine with CT if either leaf or intermediate certificate is logged.

If you need to issue fake certificate, you need to either log it, or you need to issue fake intermediate certificate and log it.

Either way it's visible to website owner (and other people likely won't care anyway).

[jchw]

It would be completely possible to do it that way, but doing it this way ensures that at no point does certificate issuance become opaque and impossible to scrutinize. We want to ensure that CAs follow certain rules, and CT logs are one way to do this. For example, a CA should not issue a certificate with a forged "not before" time. There are certainly many more cases like this.

Public CT logs mean that the property of transparent certificate issuance extends to the entire Internet, which is good. If you want private certs, you can use a private CA and deploy it to the machines in your domain. Totally reasonable alternative in my opinion.