Continuing the discussion from Support for ports other than 80 and 443:
By creating the DNS record you have already done that.
Obviously anything behind the address pointed by the DNS record can do that, that’s the whole point.
The network/domain owner responsibility for sure. You need to internally coordinate in your organization which sub domain is going to be used by which user so they don’t step on each other toes.
But in the case you mention you would probably have a centralized LE from where you can distribute the certs to the users.
And to repeat again, the possibility of using any port to obtain the certificate is there which doen not mean you have to use it. If you have any kind of issues with this you can keep the LE challenges on port 80 and 443 and block all the rest. The whole point is the choice is there you don’t have to use it!