If you control ports 80 and 443, and DNS for _acme-challenge.example.com, you have nothing to worry about. If "guest hacks my port forwarding" is in scope, in the future you'll be able to use CAA records to further control issuance:
They're not enabled yet, but the accounturi parameter would let you restrict issuance to your own account(s), and the validationmethods parameter would let you prevent usage of validation methods other than DNS-01. (If you use DNS-01.)