Historically we have seen many problems with public CAs creating poor quality certificates, or even issuing certificates that should never have existed. Google grew tired of this some years ago and instituted Certificate Transparency logging. https://www.certificate-transparency.org/
The CT logs accept any certificates that “chain” back to a public CA and they can provide cryptographic proof that a certificate was shown to them at a particular moment in time, called an SCT. Google requires SCTs for any EV certificate and expects to begin requiring them for other certificates eventually. The log servers can be monitored, using a Log Monitor, of which https://crt.sh/ is one popular example. One purpose of monitoring is to ensure that your names aren’t unexpectedly issued any certificates. Facebook already reported an example where a sub-contractor obtained Facebook sub-domain certificates in defiance of Facebook policy, which they couldn’t have detected without monitoring.
Some public CAs, of which Let’s Encrypt is one, voluntarily log all certificates, others don’t yet. Google also requires two CAs to log all their certificates because their past behaviour makes them hard to trust, these are Symantec and CNNIC. Most other CAs are moving to either logging everything, or logging by default with an option to not log if you understand the consequences (your certificates might stop working in Chrome / Android).
Google’s web crawler adds any certificates it sees to the CT logs. So a “personal” subdomain that’s actually just on the public Internet will most likely sooner or later be found by the crawler, indexed and added to the CT logs anyway.
Several research groups also perform their own web crawls, they collect all certificates, regardless of whether they chain back to a trusted root. If your server is on the public Internet it is essentially inevitable that these crawls will collect your certificates eventually.
If you don’t want something accessed over the public Internet, I would strongly recommend simply not connecting it to the public Internet at all.