> It is, but since we rely on DNS anyway, no matter what, and your DNS provider can get a certificate from Let's Encrypt for your site, without asking you, there's merit to combining them.

They can, but they'll also get caught thanks to CT. No such audit infrastructure exists for DANE/DNSSEC.

> It doesn't add any security to have PKI separate from DNS.

One can also get a certificate for an IP addresses.