As listed on Policy and Legal Repository - Let's Encrypt :
Certificate Problem Reports
To report private key compromise, certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any other matter related to certificates, please email cert-prob-reports@letsencrypt.org.
You're correct, the Security@ address is intended for disclosures of problems with ACME, the Boulder CA software, or other aspects of the operation of the CA.