I'd also love TOFU for TLS, at least on .local TLDs, but for publicly hosted websites, I've come around to the idea that maybe encryption without authentication would not help that much these days.

As for who does that authentication: Given all the suggestions in the sibling threads, I really don't think we're in a situation where there's a single entity gatekeeping access by any means.