That’s long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they’re a CNA. Which keeps the “root” CVS database completely out of the loop short of saying “this here is your namespace and scope”. Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.

Still important to have a fallback though because not all projects are big enough to do that kind of stuff.