I don't quite follow the question either.
A cert is only issued by request of an ACME Client and only when control of the domain name requested is proved. So, are you concerned someone else could gain control of your DNS and/or server?
That said, there was an enhancement to the CAA options recently. You can now further restrict cert issuance by method and account.