If this change is only introduced to ACME, isn't the difference somewhat academic/pointless?
A wildcard can, today, be legally be issued from other CAs just with the presence of a /.well-known/pki-validation/
resource on the root domain.
I agree that better controls should be possible, but practically speaking, unless the changes propagate to other CAs, the only difference in a new label is that an attacker has to spend $20 at a cheap wildcard vendor.
I feel it is slightly disingenuous to claim that LE is lowering security when they already have higher requirements for wildcard issuance than of other, equally trusted CAs.