I wonder if it would be any diff if on cloudfare nip-05 is done via a cloudfare worker app returning the json package for that url and not a static text file? Out of my element here but was just looking at today when setting up my own domain to test.  Stupid gatekeeper mentality is ruining the whole privacy / security model.  I'm also seeing more websites that absolutely won't work with good VPNs.