@philios33, it is possible to use an externally-generated CSR with the Let’s Encrypt client. This should work in the most common use cases without direct access to the private key.
I’m not clear on why it would be especially dangerous in most use cases for the Let’s Encrypt client to have access to the private key. The client is open source software written in Python and distributed as Python source code to run on your own server. You can look at it yourself to confirm that it doesn’t do anything improper with your keys. If you let OpenSSL (a vastly more complicated piece of software) read the private key in order to generate your CSR, perhaps you could accept letting the LE client read the key on the same basis (including the likelihood that you can get the LE client from your operating system distributor).
But yes, there’s no requirement in general to let the client read your private keys. You may need it for some CA operations (such as issuing a cert where there is already an existing cert for the same domain in use on the Internet), but there should ultimately be options to do everything manually or with your own software if you prefer, including by writing your own code to implement the ACME protocol.