As @mnordhoff points out, the 0700 mode on the /usr/local/etc/letsencrypt/{archive,keys,accounts} directories enforce root-only access to the sensitive key files.
That the files themselves are 0644 (vs 0600) is not important. That there are no restrictive permissions on the symlinks in live is also not important.
You can verify this by lowering yourself to a non-privileged user and trying to access any of the private keys, it's not possible.