Allowing users to create URLs at the site root will cause a lot of issues long term.

First is that it opens up attack vectors such as this attempt.

Second is having to steam-roll posts to add new features at URLs that are in use. If you do add a .well-known directory you'll need to remove that post for example.

Moving posts to be under /post/:id the same as users being under /user/:id would prevent both of these issues.

Rather than doing that, my thoughts right now are to actually move all admin elements under admin.non.io or settings.non.io, and only allowing modification of user settings from those domains.

I agree there's a vector for abuse, but I also believe that if posts are eventually a paid-only privilege, moderation of these abuses will be far easier. Will definitely revisit this if it becomes a problem.