Devil's advocate: then instead of using subdomains with randomly generated strings, we use words from a dictionary instead.

that won't work: for instance https://twitter.com/aeris22/status/1193644687950860289 (securite means security/safety in French, but that subdomain is a CNAME for smartadserver)

Then we block those words :-)

You would have to block entire wordlists to combat subdomains like that. It would make more sense to whitelist subdomains instead, but it would require much more effort in order to determine what subdomains are required for the website to function. Additionally, if the site in question ever decided to change anything around, someone would have to catch the breaking change and have it corrected on the whitelists for the site to function again.

How do you know what words to block?

Machine learning by analyzing what displays on the page by blocking different domains. Bots can be automated to do that continuously and update a decentralized database with such information.