alt Hacker NewsRight, if Bluesky ever does do something hinky with your PDS, the operation will be signed with their key and persisted in the operation log which they're unable to touch. You can outright remove Bluesky's key if you want, though I think that only works within some number of days of creating it.
It's probably one of few places where blockchain would be actually useful; just use it as a history of users keys to validate against, so any domain takeover or similar event would at least not allow stealing user's handle