>in a way that we shouldn't assume any ownership only based on the domain itself.
I probably have a naive understanding of this, but why not? In your Shopify example, users should certainly be taught that Shopify does have ownership of mystore.shopify.com (in at least the 'security' and 'privacy' areas of concern from the write-up). Likewise, entities proxying resources controlled by others through their own domains (e.g. CNAME cloaking) should take responsibility for what they are serving and how they are exposing their clients.
mystore.shopify.com is definitely hosted by Shopify but it's content is a totally isolated entity. You can trust laptops.shopify.com but this trust should not automatically transfer to fakestore.shopify.com. In the same way if you have a valid account on laptops.shopify.com, the browser shouldn't allow fakestore.shopify.com to emit a request and buy something on laptops.shopify.com with your valid session on your behalf, even though they're on the base domain.
You have also the parallel problem of how do you transfer the trust you have on google.co.uk to youtube.co.jp only based on the domain info you have.
This all to say that using only domain names to resolve ownership is a hard problem, since ages browsers use a crowdsourced list [1] to get around this issue but recently it proved not to scale very well, specially after Apple's move to use this list as part of their "Limit Ad Tracking" solution.
If the proposal was limited to opting into strict origin scope (instead of eTLD+1/registerable domain scope) for cookies and other privacy-related things, it would be an improvement.
But it also allows things like specifying that laptops.shopify.com, laptops.com, laptops.social.com, desktops.com and calculators.com are the same party and therefore tracking may happen across them. There's no obvious good way to put the user on notice of this, and the Explainer totally punts on addressing this problem, instead leaving it to each browser to figure out.
I probably have a naive understanding of this, but why not? In your Shopify example, users should certainly be taught that Shopify does have ownership of mystore.shopify.com (in at least the 'security' and 'privacy' areas of concern from the write-up). Likewise, entities proxying resources controlled by others through their own domains (e.g. CNAME cloaking) should take responsibility for what they are serving and how they are exposing their clients.