I think you are talking about MITM all traffic to a site as opposed to MITM all traffic from specific clients (e.g.: hostile webhost vs compromised router).
Oh I see what you mean. So the parent poster is saying that if some router gets compromised, then it can perform a MITM against its clients, faking the CAA record of some website which would trick the clients into believing the correct CA for that website is different from the real one.
Indeed, that would be a problem with the CAA approach, currently. To be immune against that attack, clients would either need to 1) use DNS-over-HTTPS, 2) use DNS-over-TLS or 3) perform DNSSEC validation of the CAA record.
Either 1, 2 or 3 would be enough to thwart the attack, but of course, it would be better if they did either (1 and 3) or (2 and 3).
