OpenShift doesn't properly verify subdomain ownership, which allows route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route.
Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route. OCP Managed services are not affected, to use a custom domain in OSD, customers use https://github.com/openshift/custom-domains-operator, which creates an additional ingress only known by the custom name, so there is no CNAME mapping in the external DNS to the "default" ingress' names.
I've closed the dependent bugs as DUPLICATE, EOL (for the 3.11 BZs), or NOTABUG. As I noted in bug 2101438, engineering maintains that it is the cluster administrator's responsibility to manage DNS records and to secure sensitive routes using TLS. If an automated solution is required for managing DNS records, the cluster administrator can use external-dns. Alternatively, a controller could be implemented to block route deletion if a DNS record exists for the route. I suggest filing an RFE if such a solution is required from engineering.