Thank you for the clarification. As a site operator, how should we assure that a visitor's connection cannot be MitM'd? Is this why some apps only use their own internal trusted certificate list, in lieu of offering a webpage?
Can't they inform the HKPK list provider to revoke the old key after they regain control of the ___domain?
HPKP isn't a centrally managed list, it's remembered by clients who've received HPKP headers when visiting your site (or in this case, the attacker controlled site at your ___domain).
As dwattttt said, it's not a central list at all. Having a central list defeats the purpose of HPKP (since that governments can just force them to add another authorized key, and even if they only have remove-only policies I'm pretty sure that stripping HPKP defeats its own purpose).
Can't they inform the HKPK list provider to revoke the old key after they regain control of the ___domain?