The new domain owner — if they set up an ActivityPub server instance (e.g. a Lemmy) and got a list of the old user's post URLs — might be able to delete or edit the old user's posts stored on other instances. That is a vulnerability, albeit a small one.
If the old user was still listed as a moderator of communities hosted on other instances, the new domain owner might be able to take over that moderator role.
One way to fix this would be for instances to issue a public-key cryptographic identity to each user, and distribute users' public keys to other instances. Then activities purporting to be from that user would need to be signed by that user's private key.
Users' private keys would stay local to their home instance, so users don't have to do any key management themselves.
This would mean that if an instance goes away (and its key material is destroyed) then nobody can ever act as any of those users again. A new user created with the same username and domain would be a distinct user for all other instances too.