You've got it. Another option some people use, is to only allow traffic during the times that they're renewing. Depending what your ACME client offers for "hooks" and the scripting capability of your firewall, this can be a little challenging to set up, but some people have done it.
Yet another option is to just allow all traffic on port 80, set up to handle validation requests and redirect everything else to https, but have filtering on port 443. So yes, those "low-rent web scrapers" would send some traffic, but since it's only redirection responses it's not impacting your "real" web page serving.
You may have already seen this, but this post describes how and why Let's Encrypt checks from multiple locations: