It's actually not good for the end user, because these APIs rarely have safe permissions and ACLs. Most DNS APIs will allow the token to update A/MX records; many will even allow the token to transfer the domain away. This makes automatic renewal incredibly unsafe, as a compromised server would expose the plaintext token.
The best option in almost every case is to:
- install
acme-dnson a server you control (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) - CNAME your _acme-challenge text records onto the acme dns instance