"Trust on first use" is not always less secure than using a CA.
With trust on first use, if you validate that the certificate matches the one you expect, then you're good as long as the server and your device are not compromised.
If you go the standard route and use a certificate authority, then a compromise (due to law enforcement or not) of the certificate authority will cause your device to silently trust a third party MITM certificate.
A lot of hidden implicit trafeoffs like this become apparent once you realize that your personal threat model is only loosely aligned with Google's.
We control the CA so this method of attack is not possible.
That said, TOFU is only less secure in practice, not in theory. The "in practice" is because users do not actually compare the cert with anything. They will always just click "Trust."
With trust on first use, if you validate that the certificate matches the one you expect, then you're good as long as the server and your device are not compromised.
If you go the standard route and use a certificate authority, then a compromise (due to law enforcement or not) of the certificate authority will cause your device to silently trust a third party MITM certificate.
A lot of hidden implicit trafeoffs like this become apparent once you realize that your personal threat model is only loosely aligned with Google's.