It's not enough for everyone involved to have CAA enabled. They need to have CAA enabled and to select a certificate authority that does effective domain ownership validation, which - as the article suggests - means (at minimum) multiple-origin checking of network-based challenge protocols like HTTP-01.
Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.
So if your site pulls in js from another site without sub resource integrity, and the other site doesn't have CAA configured you are vulnerable.