One of the key parts of an SSL certificate as proof of domain ownership is that it’s signed with a private key, that only you have. If someone else were to obtain that private key, they could then produce SSL certificates pretending to be you, or revoke your existing certificates.
In the perfect world, only you should have access to your private key. If you have a script that you run on your own server, you can audit that script, and the key never goes off your server - that is the safest option.
The opposite (and worst) case is where you ask someone else to produce a private key for you, and they then give you a copy of the key. This means you need to completely trust them, their code and their servers. There are a couple of these systems available - which I would certainly not trust at all.
ZeroSSL falls in between these two scenarios, and it depends exactly how you use it. @leader is the author of ZeroSSL so may be able to comment on anything I get factually wrong.
I think you can generate your own private key, on your own computer, and then use that to generate a csr (again on your own computer). If you upload the csr to ZeroSSL, and use ZeroSSL to “obtain” the certificate for you, such that ZeroSSL never sees your private key - it’s perfectly safe and secure.
You can use ZeroSSL to generate the private key for you in your browser, and then generate the CSR etc. I have not audited the code in ZeroSSL. This should be safe (in that ZeroSSL never sees your private key), but I can’t be 100% certain of that. Whilst this method would be a huge amount safer than using a site which generates the private key for you, it’s still not something I’m personally 100% comfortable with - hence don’t use that method.
So in answer to your specific questions
It’s always safer to keep 100% control of your private key, yes. I believe there is a method (where you generate the CSR) that you don’t need to let ZeroSSL see your private key though.
Personally I don’t trust anyone else with my private key, no.