Indeed, your domain registrar can always rug you by pointing a record to their own server and issuing a fresh https certificate. Meanwhile DNSSEC is easier to verify, @Matt Corallo wrote some Rust code for it, unlike https which only browsers can. Privacy downside in is having to fetch the TXT record with the proof somehow, e.g. with DNS-over-HTTP. But you could have relays share the records.

I'm not sure there's any downside with the DNS option, as you have to do anyway a DNS resolution also in the HTTPS option.