This has recently been clarified in the new MRSP that prompted Upcoming changes to revocation reasons.
Let's Encrypt also now documents their new revocation policy here:
Let's Encrypt does not allow the usage of affiliationChanged
in any case. You must use cessationOfOperation
.
Let's Encrypt has discussed their reasoning for this on MDSP here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/m3-XPcVcJ9M/m/1ACibMBYAAAJ