It's actually not safe for clients to perform local validation because a quite significant fraction of middleboxes and the like strip out RRSIG and the like or otherwise tamper with the records in such a way that the signatures don't validate.

No! Because it's totally possible for operating system vendors to flip that switch without requiring every upstream project to adopt key pinning. It's MUCH less infrastructure to upgrade.