Well, apparently I was mistaken, and this fourth approach wouldn't necessarily work, because emailing Let's Encrypt evidence of compromise, but not the private key itself, doesn't actually obligate them to revoke it, though of course they might so do anyway if they're able to (there's just apparently no Official Rule forcing them to do so like I thought there was). The only way to actually ensure that a revocation due to key compromise will happen is to use the ACME endpoint signed with the certificate private key itself.
Now, if you might be wanting to revoke for some other reason (like, you're selling the domain name soon or something), then you can use one of the other methods like storing the account key securely or having some other account prove ownership of the domain.