The kind 0 post is signed, already verifying that the key owner is claiming to be bob@example.com and looking at example.com to see if it matches verifies that the domain owner agrees and prevents anyone from claiming they are Bob.

If we say this isn't really validating anything, then I feel like by this same logic, no TLS cert would verify anything (unless it's a private CA who signed a cert for its own domain). Just because the assertion is being made by a 3rd party doesn't mean it's not valid.

At the end of the day it seems like it's just semantics. 🤷‍♂️