Really, the more I think about it, in that scenario it's really entirely on Foo Co. to have revoked their certificate (or maybe we need to establish some new way of disclaiming the domain names in ACME if needed) before selling the domain to Bar Inc. As was discussed in another thread here recently, if someone loses access to the certificate private key entirely (like it physically gets stolen, or the attacker wipes it after copying the key and other data from it), up until this change the standard approach to recover would be to just create a new ACME account, authorize the names, and use that to claim the old key was compromised. If one can't do that now, then I think you're going to end up with people either just not letting you know keys are compromised since they can no longer "prove" it with the certificate key, or they'd need to keep more certificate key backups (making the risk of a cert key compromise more likely).
Should this change really have happened back in July when CPS 4.0 updated section 4.9.12 to say only the private key of the cert could be used to demonstrate key compromise? At the very least, there probably should have been an API Announcement post at that time with an overview of the CPS changes. Somehow I'd missed that section when I was trying to understand what was happening, but now it looks like it was at least kind of documented since then, at least for people meticulous about looking at updated policy documents.