I don’t fully understand why switching to a non-custom domain helps to protect accounts. Isn’t it a sophism? Then better register your custom domain at a provider you trust (the smaller the better, e.g. a regional one).

If you use an email of a global freemailer such as gmail or yahoo, an attacker can apply the same social engineering to gain access to your account. For instance, in gmail accounts you can link another email or phone number for “recovery access” and that can be compromised.

You can also implementsecurity measurements easily such as MX record monitoring for your custom domain.