Who is the "holder of the issuer-domain-name" for, say, geotrust.com, rapidssl.com, or thawte.com?
That's right: DigiCert.
So by specifying 'geotrust.com' in your CAA record, you are implicitly also granting the various DigiCert subsidiaries authorization, which really isn't obvious at all.
If we then add up the various related CA domains, our breakdown looks more like this: