I didn’t read the group thread (a liiiiitle bit TL;DR if you ask me!), but I myself are missing the usefulness of such a flag.
AFAIK the CAA system is there to ‘protect’ your domain from “accidental” or malicious issuing of certificates which aren’t under your control and could be used for MitM attacks by limiting the number of CA’s which are allowed to issue certificates for your domain.
The key here is: accidental or malicious issuing of certificates. Not legitimate certificates requested by yourself!
You yourself are in control of the CAA record. You yourself are in control of the issuing of a (must staple) certificate.
I do not see the additional value of such a flag, because when you request the issuing of such a certificate, you can ask for must staple then. Why would you put it in a CAA flag?
Read it anyway: TL;DR-version of the Google Groups thread: if someone is tricked into issuing a certificate for the domain (phising, or something else), the problem is that revocation is quite broken at the moment and OSCP stapling with
must staple is sort of an answer to this, therefore requiring
must staple through CAA improves security when someone is tricked in validating the domain for a malicious person and a certificate is generated by someone not allowed to.
Well, this implies CAA records are followed by every CA. There are a lot of CA’s not implementing CAA records. Therefore, the malicious user who is phising employees can just choose one of those CA’s. Or the Baseline Requirements should enforce the use of CAA records. In thát case, and only in that case, such a must staple flag in a CAA record could be usefull