Sorry, how misleading, sir?

Thank you, that's right what you said, and maybe I need to add why it's vulnerable

I have tested it also with my own site, if you look at this article (https://help.lemlist.com/en/articles/4495333-how-to-set-up-your-custom-tracking-domain) there is a tutorial set custom domain "Tracking" & "Page"

Why can it be vulnerable, even though the user is actively using lemlist?

1. They only customize the "Tracking" field, so that the "page" field can be used by other users without need

2. They no longer use the lemlist service, but the CNAME is still stuck on the subdomain

Why do I say as mentioned number 1, I tried custom tracking and got the error "Already" but on the "Success" page