They should be more fussy with the subdomains they let go. E.g https://support.micro.blog

Is that really a problem? XSS attacks usually involve letting site's visitors add arbitrary html/js. The account owner being able to is more of a feature.

XSS attacks aren't the only thing to be worried about. As noted above, you could buy subdomain like "support.micro.blog" and trivially phish people's micro.blog credentials, for example.

You can do that on any blog! E.g. blogger.com

I was about to say the same thing.

Think of the username.micro.blog pages as your personal home page, like a Wordpress or Squarespace blog site. They're a hosting option for people who aren't tech-savvy enough to setup an RSS feed / 280-char micro-post RSS feed on their own site, or just don't want the hassle of maintaining that setup.

I believe others have tried posting similar XSS into a Micro.Blog post, and it gets filtered out in the timeline feed that followers read, whether on the site or via 3rd party clients. (Now if someone proves that wrong, that would be a big deal.)

I think it's only true as long as every *.micro.blog subdomain is properly isolated, and you can't access cookies/sessions from micro.blog (e.g post/comment as someone else, if there's no CSRF token). I haven't checked, but hopefully it's the case here. See: https://security.stackexchange.com/questions/95369/persisten...

Different subdomains are different origins. So it's safe.

Not quite. There are gotchas:

https://blog.github.com/2013-04-09-yummy-cookies-across-doma...

It's not quite that simple once cookies (and Internet Explorer/Edge) get involved. But it definitely could be secure.