always wondered this, but kept forgetting to post it
eg users would be on @grant@toast.ooo and a community would be on @canvas@group.toast.ooo or something like that
then it would still follow the AP spec but still allow for identical identifiers (like a user account being @sc07@toast.ooo and a community also being !sc07@toast.ooo)
TLS certs can have one level of wildcard (even let’s encrypt supports this), and creating subdomains programmatically is not exactly black magic - the main blocker from the technical side is that the code to update the DNS is usually not portable between providers, so it’s not adequate for a federated open source project.