That happened to me, but fortunately it didn't end up being a huge deal.

I had forgotten to renew my domain from Gandi, it expired, and I stopped getting emails. I also could not find my password for Gandi, and I couldn't get the password reset to work, so I panicked, but fortunately Gandi will let you renew someone else's domain. Not a transfer, just if account A wants to pay to renew account B's domain without any change of ownership, they allowed that, so I made a quick throwaway account, and renewed everything for eight years.

I mean, sure, but I and probably 99% of other folks have a credit card set up to autorenew. This is a security problem, but not a very serious one.

Taking over a domain is not particularly connected to access to PII.

You own/control the name, not the set of files on a hosting service somewhere.