I use a dot io domain name for one of my email addresses, but I've always been slightly worried about the possibility of my domain registrar being socially engineered. If someone gets into my domain account, that could lead to ATO and change of the MX records. Should I be concerned? Is there a "best practices" dot io domain registrar that won't allow this to happen?

There is something called "locking facility" that some registrars provide. That is changes can be made only with a 2 factor auth.

Might also be worth using a very long (1 week - 1 month?) TTL for your DNS MX records. This is no guarantee but it should buy you some extra time over the default which could be only an hour or so.

One trick is to set a very long TTL on your MX records to mitigate any damage if your account is compromised.