The reason why you need to run is as root is somewhat an additional proof, that you own the domain, as only root is able to start services on privileged ports (<1024).
However I agree with you, that the official client is some big black voodoo box. Yes, you could trust the guys behind Let’s encrypt that they did their job right and the software is secure.
If you don’t like the official client, check out List of Client Implementations for other clients. I personally use acme-tiny, because it fits my needs the most and has little to no dependencies on third-party libraries. Also it’s quite small so you can audit the code yourself.