Some CAs (Amazon) allow not publishing to the Certificate Transparency Log. But if you do this, browsers will block the connection by default. Chromium browsers have a policy option to skip this check for selected URLs. See: CertificateTransparencyEnforcementDisabledForURLs.
Some may find this more desirable than wildcard certificates and their drawbacks.
Firefox is currently rolling out the same thing. They will treat any non-publicly-logged certificate as insecure.
I’m surprised amazon offers the option to not log certificates. The whole idea is that every issued cert should get logged. That way, fraudulently-issued certs are either well documented in public logs- or at least not trusted by the browser.
It doesn't seem like the choice has any impact on that. It just protects user privacy if that's what they want to prioritize.
Depending on the issuer logging all certs would never work. You can't rely on the untrusted entity to out themselves for you.
The security comes from the browser querying the log and warning you if the entry is missing. In that sense declining to log a cert is similar to self signing one. The browser will warn and users will need to accept. As long as the vast majority of sites don't do that then we maintain a sort of herd immunity because the warnings are unexpected by the end user.
A CISA article on wildcard security risks. Some of this is in part from common misimplementations (e.g.reusing private keys across servers), but not all of it.
Some may find this more desirable than wildcard certificates and their drawbacks.