Maybe that would help, but I think mostly the problem is still that you're confused, e.g. talking about attackers gaining "a way to generate public keys" when in fact the public and private key are of necessity generated together by the same algorithm.
If a hypothetical attacker controls your servers, they will be able to obtain TLS certificates from a self-service Certificate Authority, not just from Let's Encrypt but many others offer this service. It doesn't matter whether you insist on the most laborious certificate application process possible, they're not constrained by that.
Even if you insist on only entering your house by doing a six minute dance routine with a chorus and orchestral accompaniment, a bad guy can still just break a window, grab what they want and run off, they aren't obliged to hire an orchestra and do the dance routine just because that's how you like to do it.