And in fact, in the past a CA has issued a certificate without requiring the corresponding private key to be under their subscriber's control (as CSRs aren't actually required to be used by the specs), and it wasn't considered an "incident" by Mozilla, though it's certainly weird.
https://groups.google.com/g/mozilla.dev.security.policy/c/x_DeTDKBwWI/m/BQVtHEVQAgAJ