The TLS authentication story is fully configurable. This hasn't changed compared to Quinn. We use noq in iroh, and in iroh we use raw public keys (RFC7250). When you use iroh, you don't need to set up DNS or TLS certificates, you just generate a key, share the public key and others can connect to you. (Of course the trouble is sharing the public key securely.)

It turns out that "Have the defaults arranged so that they suit a handful of crazy people but inconvenience literally everybody else" isn't popular. In fact preferring a tiny minority preference is sort of inherently unpopular, that's basically its defining feature as a policy.

Visiting websites (or making connections to IP based services) that aren't CA approved is not some crazy niche desire as you're painting it. It was the default for a very long time and is still the only way to access many websites. When changing the feature requires recompiling a lib and linking it into your browser which you also recompile it's basically reality and not just a default. The only reality. And that's bad. It should be a setting at least.