I feel like I gave an example above incentivizing (some) small sites to use this when they shouldn't. Would be more vulnerable to real attacks, e.g. by the hoster, that have happened, see here. Visitors can't predict this.
There would also be multiple fix possibilities:
-
e.g. have all TLS libraries reject IP-based certs always, unless the app tells them on a case-by-case that this is for DNS over HTTPS or user-wanted. Advanced users could e.g. enable this in their browser if they need it for some cloud admin page.
-
Or Let's Encrypt could charge for this use, not incentivizing use over a domain.
-
The loss of hosting default pages still showing an error wouldn't be big, I imagine.