Currently, when you point a DNS entry at Pantheon, if you aren’t linking to an existing site, you are subject to domain hijacking. Another Pantheon customer can add your domain to their site, and start serving up visitors to your domain. I think this is especially true at larger organizations (enterprise customers), with lots of red tape with DNS and many many DNS entries, it’s possible to lose track of a domain here and there, and you are more likely to be susceptible to this behavior.
It would be great if Pantheon could implement some tool where a domain gets reserved for a customer. For example, if my domain is widget.com, and I could go through whatever steps to validate I own the domain, no other Pantheon customer should then be able to add a *.widget.com domain to their account. That would ensure that no one could launch an evil-doer site under your brand (domain).