One of the things that keeps Let's Encrypt secure is a choice of practice, not required by the CA/B BRs or by root store policies, and therefore all the more praiseworthy.
Whenever possible Let's Encrypt chooses to simply use their existing fully automatic issuance architecture for everything. That is, to get themselves a certificate (say, to test something) they use the same means you would. Since this architecture is protected against deliberate attacks by bad guys, it will inevitably also prevent many mere accidents that could arise if Let's Encrypt staff were to issue things using a custom process. We know that at some public CAs (including some which are still trusted today) there have been incidents where, without malice, a misissuance happened because staff missed a check that would have been mandatory for the general public.
For example, CAs are expected to provide Mozilla with an example of a web site with an expired certificate. Lots of CAs would just bypass their automation and mint a certificate with a very short lifespan, or even tweak the dates on it so that it appeared to have been issued and already expired in the past, but Let's Encrypt specifically didn't do that. They obtained a certificate just like anybody can from their CA, and then they waited until it expired naturally.