A MitM is definitely a game-over scenario. Your threat model implies that only the legitimate server/domain owner would be able to create an account and request a challenge token for a domain. That is not the case - the attacker can do so as well, thus giving them all they need to generate the correct key authorization. This is true for
dns-01 without DNSSEC.
The request containing all the information needed to pass the validation is definitely not optimal (hence the existence of
tls-sni-02), and it is something that would indeed be problematic for the HTTP challenge because many web servers echo back the request URI (as demonstrated by the recent GoDaddy misissuance), but it’s not something that any TLS servers I’m aware of do by default (or really in any common configuration scenario). The bigger concern - as @jsha mentioned - is the footgun this represents for validation server implementors, who might open themselves up to misissuance. It’s a good improvement, but I don’t think it warrants an immediate depreciation.