Conveniently, I’m an attorney (in the U.S., whose law governs your dealings with LE), so I know a thing or two about legal liability. And no, there’s no legal liability if I, a private individual or company, privately accuse you of something, whether or not I’m right, and whether or not I have any decent reason to believe that it’s the truth. I can tell you, privately, that I think you’re a murderer, without any reason to believe that’s true, and there’s no legal liability created there. And to the extent that Let’s Encrypt is accusing you of anything, they’re doing so privately.
Secondly, Let’s Encrypt isn’t accusing you of anything. They aren’t saying, “your domain serves malicious content”; they’re saying (correctly) that Google has flagged your domain as serving malicious content. Truth is an absolute defense against a claim of defamation. So even if Let’s Encrypt were making that statement publicly, it would not expose them to liability.
Third, even if LE were publicly claiming that your site were malicious, that probably wouldn’t expose them to liability, as it probably wouldn’t be negligent of them to believe that Google was correct. This is a weaker point, though, and would need to go to a jury (the above two points wouldn’t get that far).
Fourth, the principle of “innocent until proven guilty” means that the government cannot punish you for a crime until they have proved your guilt, and the burden is on them to prove it. It doesn’t mean that a private entity can’t refuse to serve you for any, or no, reason (with a few exceptions that have nothing to do with guilt or innocence of anything). You don’t have a right to a trial and proof of your guilt before a business decides you’re too risky to do business with.
Fifth, your issue here is with Google. If there’s any affect on your orders, clients, money, business, etc., it results from Google listing your site as malicious, not from LE refusing to issue a cert because of that listing. People and companies sue Google all the time, sometimes even successfully. You may or may not have a case against them (ask your attorney if you want to pursue that), but that’s where your issue is.
I bolded the important part. When you say “shall”, you are dictating. You are stating what must be, as though you have authority to require it. That’s (part of) why I gave you the benefit of the doubt and assumed you weren’t a native English speaker, as that could explain your misuse of the word. If you’re trying to state your beliefs on what policy should be, “should” would be a more appropriate word to use.
Indeed there is. If you’d read it before posting, you wouldn’t have repeated the ridiculous assertion that Let’s Encrypt exposes themselves to any liability by refusing to issue a cert to sites who are listed by Google.
The fundamental issue is that users have been (wrongly) conditioned to associate the padlock with a trustworthy site. They shouldn’t do so; it doesn’t mean that, and never has. But nonetheless, they do. CAs can take a variety of approaches to try to deal with this; this is the method LE has chosen. They have a blog post on the subject here which explains their stance. I’m not sure I completely agree–I tend to think a CA should issue a cert to anyone who can demonstrate domain ownership–but their CA, their rules.