> Second, they should be using the public suffix list (https://publicsuffix.org/) to avoid having their entire domain tagged. How else is Google supposed to know that subdomains belong to different users? That's what the PSL is for.
How is this kinda not insane? https://publicsuffix.org/list/public_suffix_list.dat
A centralized list, where you have to apply to be included and it's up to someone else to decide whether you will be allowed in? How is this what they went for: "You want to specify some rules around how subdomains should be treated? Sure, name EVERY domain that this applies to."
Why not just something like https://example.com/.well-known/suffixes.dat at the main domain or whatever? Regardless of the particulars, this feels like it should have been an RFC and a standard that avoids such centralization.
There was an IETF working group that was working on a more distributed alternative based on a DNS record (so you could make statements in the DNS about common administrative control of subdomains, or lack of such common control, and other related issues). I believe the working group concluded its work without successfully creating a standard for this, though.
The problem is that you then have to trust the site's own statement about whether its subdomains are independent.