I mostly agree with you. This has been an issue with multiple free DNS providers for many many years (and one I personally reported to DigialOcean years ago).
Unfortunately we now live in a world where control of DNS is proof of ownership. Look at the entire mess that is Domain Validated SSL certs and how CloudFlare has abused this to get certs for domains that have never pushed SSL traffic over their network.
I'm not sure if you have used Google Apps before, but from memory it has DNS and website verification, so I can only assume it'd be vulnerable to this sort of attack.
Let's face it, being able to serve content on a website at all is enough to prove you own it these days.
You are misunderstanding how DNS works. Just because I can get a google cloud name server to point example.com at my server does not mean I own the domain. The gcloud nameservers are not the authoritative nameservers for the zone unless the root .com registry points at them.
Google apps verification only asks the nameservers designated by the registrar for the domain.
Unfortunately we now live in a world where control of DNS is proof of ownership. Look at the entire mess that is Domain Validated SSL certs and how CloudFlare has abused this to get certs for domains that have never pushed SSL traffic over their network.