My point was that CAA's threat model is flexible based on your requirements. If your requirement is "an attacker with the ability to make arbitrary network requests from the host can not pretend to be Chrome", CAA does not work unless you have OS/Hardware support (which ChromeOS provides).

I just don't think that matters much. CAA is policy enforcement, it is not a full MDM solution, nor is it antimalware.