My solution, put a cname record in your zone, to a subdomain, have that subdomain be served by a seperate DNS server (for example desec.io)

If something gets the credentials for desec.io, they can only use them to do stuff with the single txt record.