Theoretical question: Should the entity owning your TLD be able to get certs for your domain? If not, why not? They control it, so they own your domain. Why do you assume that every level below every domain is under the clear-cut authority of a single entity?
If you delegate a subdomain away, you are no longer the authority of it. You don’t control its contents. You delegated that. Only by forcefully violating that authority can you control what happens in that subdomain.
Bad analogy time: A landlord owns the house. If he rents out rooms, he is no longer allowed to enter without permission.
You need to understand the difference between ownership and authority.