That was just a hypothetical example to illustrate how much power browser vendors have over the web; they wouldn't need to literally migrate to a different DNS root in order to effect change in this space, but I maintain they absolutely could go that far (again, hypothetically) if they all agreed and there were a sufficiently compelling reason.
Browsers always had full control over CA root programs, it's just a question of how willing they were to actually assert themselves in that fashion. I agree they've become more bold about that over the years, but what Mozilla just did to TrustCo was always an option for the major browser vendors, both legally and technically (or at least since automatic updates became a thing). DNS is also effectively a browser feature these days, as evidenced by all the browsers suddenly supporting things like DNS-over-HTTPS despite host operating systems lacking support. Given a sufficiently smooth transition path for users and website operators, browser vendors could collectively decide to alter their DNS implementations in pretty much any way they want.
I don't think this is really true at all, and I think it underestimates (significantly) the amount of behind-the-scenes work that went into the current WebPKI situation with activist root programs. I don't think there's any reason at all to believe that browsers would have similar success governing a DNS PKI, and there are specific reasons --- evidence, even --- to believe they wouldn't. We can go round and round on this stuff, but I feel like I'm repeating myself at this point.
Like I said, I agree with you that a naive, purely DNS-based PKI would be less flexible in that regard. That was a good point, and well noted.
However, the current status quo is sort of ignoring the big DNS-shaped elephant in the room. You can build all the validation and transparency solutions you want on top of the CA system, but it's still fundamentally dependent on the security of a DNS system that currently requires no cryptographic assurances that the records the CAs are validating against are actually correct.
Browsers always had full control over CA root programs, it's just a question of how willing they were to actually assert themselves in that fashion. I agree they've become more bold about that over the years, but what Mozilla just did to TrustCo was always an option for the major browser vendors, both legally and technically (or at least since automatic updates became a thing). DNS is also effectively a browser feature these days, as evidenced by all the browsers suddenly supporting things like DNS-over-HTTPS despite host operating systems lacking support. Given a sufficiently smooth transition path for users and website operators, browser vendors could collectively decide to alter their DNS implementations in pretty much any way they want.