Both of them identify users by URL, there is no numeric ID, UUID, or public key.
Using IDs or UUIDs would not be secure since the imposter could just copy the ID from the previous user as well as the username and domain name.
Verifying identity would necessitate the user having a public key as their unique identifier, and federated servers performing a challenge-response that requires the user to have the corresponding private key for that public key.
In conclusion, it certainly seems like you could take over someone else's domain name, and I suspect that public key cryptography is the only way to avoid this.
(edited to add: expired domains aren't the only attack surface here, domain takeover is also a thing, either by transferring the domain or simply changing the DNS records.)