You’re right, and you probably only need to add the TLSA for 25.tcp.mail.domain1. At least if you don’t pursue your original plan of multiple MX, and PTR records, on multiple IPs.
I have it on all domains, because my SSL certificate actually contains all domains that are hosted on my server, in order to make the webui availabe on all domains, and for easy configuration of mail clients that don’t support autodiscovery. However I could probably delete the entries for my additional domains, because all external connections over port 25 are always using mail.domain1.tld, regardless of how the clients are connected to the server, and regardless which of the domains on the server is sending/reciving mails.
But yeah, good question, actually, and I can’t give you a definitive answer. All I can say, that it works without issues for me.
Maybe someone else here has more insight…