Too many edge cases, some would still be exploitable. Eg if the real address was:

    Sheriff.CI.Jacksonville.FL.US

Malicious actors could register:

    Sheriff.Jacksonville.FL.US

Unless your solution is to add some verification step as part of .us registrations.

Can people register a subdomain of fl.us willy-nilly though? Isn't the root domain owned by the state?

From the RFC (note the "or businesses"):

   Name Space Within States:
   ------------------------

   "locality" - cities, counties, parishes, and townships.  Subdomains
   under the "locality" would be like CI.<city>.<state>.US,
   CO.<county>.<state>.US, or businesses. For example:
   Petville.Marvista.CA.US.

   "CI" - This branch is used for city government agencies and is a
   subdomain under the "locality" name (like Los Angeles). For example:
   Fire-Dept.CI.Los-Angeles.CA.US.

So you'd be counting on the sub-registrar of jacksonville.fl.us not to allow a registration for the fraudulent "business" of Sheriff, Inc. -- multiplied by every municipality across the country.

Many top-level TLDs have requirements you need to fulfill, .edu is a good example. Similarly you need to prove you're a local entity for many country-specific TLDs. At the end of the day though, this attack vector will always be there, no matter how diligent you are about it. Phishing is all about numbers and one in is often all you need.

Wouldn't make any difference, you'd just hack one email at any random sheriff department in the country. Or pay $5 for one, anyway.