If am not wrong, Little snitch doesn't stop any malicious domain that the user is not aware of.

Little snitch is effectively a MITM app for all connections on the system it is installed on.

Little Snitch can be setup whichever way you like, but the default/recommended way is for it to ask the user about every connection attempt, which you can then approve or deny (for a limited time, or forever).

Little Snitch is a gate. It either lets a specific connection through, or not; it does not modify it. It all happens on your own machine. You keep using that term, "MITM", I don't think it means what you think it means.