Take this opinion with a grain of salt because I haven't had to use this type of equipment in many years now.
Taking LE/ACME out of the picture entirely, historically these devices have terrible web interfaces for managing the certificates they use, they rely on ancient versions of cryptography libraries, and have poor API support if they have an API at all (needing to run commands via SSH doesn't count as an API). So even before you think about how to get the certs, you have to deal with how you're going to import them to the devices. And if you have a lot of devices, you're going to want a way to do it that doesn't involve manually logging into a web interface or SSH console.
Assuming you've solved the cert deployment problem, then it's more a matter of privacy and scale. While you can get public (LE or otherwise) certificates for internal-only hostnames if you can satisfy the challenges via DNS, all of those names are still submitted to Certificate Transparency logs which some argue gives potential attackers "sensitive" info about your network.
From a scale perspective, if you have on the order of 10's of devices and you've accepted the security implications of CT logs, it's totally reasonable to get public ACME certs for them. But too far beyond that, and you start getting into potential rate limiting issues and just general impolite abuse of free services. Most orgs with a large internal device presence like this have an internal PKI that is a better fit for certificates for these devices. With an internal PKI, you also have the freedom to generate certs for IP addresses and non-public DNS names.
As a developer for these devices, you're in a very similar boat to the IoT device providers in terms of what choices you have for pre-configuring certs on devices or allowing devices to provision their own certs. Users tend to like options though. While one org might be fine with a device that is capable of provisioning its own public ACME cert, others will likely want it integrated into their own internal PKI. Some manufacturers may even host their own non-publicly trusted PKI and ask clients to trust their CA. There's really no one-true-way to do it and each solution has tradeoffs.