Sorry for being late in the game. If everyone has write access to /opt, then anyone could do:
mv /opt/letsencrypt /opt/somethingelse
mkdir /opt/letsencrypt
echo 'echo owned >> /root/owned' > /opt/letsencrypt/letsencrypt-auto
chmod -R a+x /opt/letsencrypt
and it would fire the next time the root cronjob runs letsencrypt-auto with root privileges.