With DANE, your browser trusts the certificates that your signed TLSA record specifies. Meaning all your trust is in ICANN to not misuse the root KSK. At least today with CAs, we have 4 major root programs and one of them (Mozilla) is completely managed in the open. But seeing as how no browsers implement DANE and DNSSEC deployment is pitiful, it is a moot point for now.
FWIW the ACME WG really did not like the “static CNAME” idea (like what ACM implements) when it was posted to the mailing list. Most members seem to believe that it is an “end run” of validation practices. But I’m still unconvinced that a single CNAME indirection on its own is enabling Amazon to do what they do.
But that is already the case as long as we use public DNS at all, so it is not more of a problem than it has been forever, and ICANN can do nothing without the world getting aware of it.