But... let's carefully read RFC8659 again.
The 'issue' tag grants
"authorization to issue certificates containing that FQDN to _the holder of the issuer-domain-name or a party acting under the explicit authority of the holder of the issuer-domain-name_."
Who is the "holder of the issuer-domain-name" for, say, geotrust.com, rapidssl.com, or thawte.com?
That's right: DigiCert.
So by specifying 'geotrust.com' in your CAA record, you are implicitly also granting the various DigiCert subsidiaries authorization, which really isn't obvious at all.