BIP353 uses DNSSEC to provide provable link from the domain to the payment instructions. DNS isn't ideal, but in practice you're already trusting it for Web and email.

Importantly, the proof is self-contained so you don't have to request it yourself, but anyone else can prove it to you.