There is a mechanism that can help a bit with this, which is that you can make a CNAME for _acme-challenge in your zone, pointing to any arbitrary DNS RR in any zone. Then that RR is where the challenge TXT records need to be placed. In that case, you're no longer subject to limitations of the original authoritative DNS server.
Very soon Google Chrome is going to require transparency log inclusion proofs in order to accept certificates, so you can monitor logs (or presumably use other people's services or tools to monitor logs) to detect any misissuance related to your domain. If misissued certificates aren't logged, they won't be accepted by Chrome! Although this is a method of detection rather prevention, misissuance events have been taken extremely seriously by browsers and the overall PKI community and may lead to significant consequences for CAs.
You'll have to lobby browsers about this because they seem to have said that they don't intend to go in this direction, at least for now.
Let's Encrypt in particular was founded by people who are also rather skeptical about the history of the web PKI and who would rather that CAs have less power and discretion rather than more. However, limiting CAs' power has many dimensions and one of those is making sure that we avoid misissuing by limiting the kind of evidence that can be used to justify certificate issuance. For example, there used to be a 3rd validation method for issuing (non-wildcard) certs. This was convenient for users in that it worked particularly well in web application contexts where all URL paths for a virtual host were already routed to some other application. But a researchers discovered a likely scenario in which people would be able to abuse this method in some hosting environments to get certificates for other customers' domains—so we discontinued using that method.
That doesn't mean that the web PKI is good or that it shouldn't be replaced by a better key distribution method. But the limitations on certificate issuance challenge methods are all motivated by making the certificates that Let's Encrypt issues more accurate and trustworthy, generally as a result of explicit threat analysis.