It would be nice if /etc/letsencrypt/live was 755 and the directories under that were 750. That way, you could assign a group for a particular service to each domain instead of the whole SSL certs folder (which is no more secure than just giving everyone read access).
Alternatively, the client could have an option such as --copy-to owner:group:750:/path/to/target/dir/ so the cert gets copied (not symlinked) to the target folder with the specified permissions as well as /etc/letsencrypt/live