New York City, a municipal government, used to have its website at www.ci.nyc.ny.us, now it’s at nyc.gov. But NYC still has a bunch of active websites hosted at *.nyc.ny.us.

NYC also has a TLD of their own. e.g: https://www.archives.nyc/

That's privately controlled, not like .gov. But yes.

yeah I still remember my grade school website's domain ended in ".k12.<state abbrev>.us"

Seems ripe for abuse if such registrations aren't being securely controlled

But you don't get it. No registration is necessary. All an attacker needs is access to the authoritative DNS servers. They can get a delegation or insert their own resource records. Why go through a registry and give up a credit card and personal details?

I think they're referring to <state>.us registrations

I think at this point it’s been allowed for over 20 years but I’m sure there is a mixture still.

I was mostly trying to point out that registering under .us is pretty trivial. There is no need to try and sneak something into some states’s dns records, anyone can just go on any registrar and purchase something directly under .us