There isn’t any real benefit to that. The typical way to keep using the default data storage (under /etc) is to create a “ssl-certs” group, add nginx/root/etc to the group, then chgrp the directory to that group. IIRC, the various ports to OS distributions mostly automate the group associations to make this all seamless. Certbot runs as root on these systems not as much for security of keys, as the need to bind to port 80 + restart process + manage the configuration files.
The Linux permissions model is really based on shared environments and often exploited attack vectors. You honestly don’t have either on a development machine that is periodically connected.
Even on production machines, limiting ssl keys to root access isn’t a requirement. Large systems and several servers use cloud/api access, and some clients even store keys in sql.