Given a MUC service requires DNS and a matching X.509
cert and private key,
how is this going to be available for anyone but a trusted administrator of
a server?
Creating a new Slack space also requres a new DNS (subdomain of
slack.com),
matching X.509 cert and private key, and yet they don't require people to be
"a trusted administrator" of slack to create them. Lots of hosting services
allow virtual name creation by users (possibly certain class of users,
paying, etc, but this is up to service policy).