Correct, Certbot does not verify anything, it's just the ACME client whereas the ACME server does all the validating.
Please see:
Let's Encrypt is a publicly trusted CA and therefore requires a publicly accessible domain name, either through DNS, HTTP on port 80 or using the ALPN challenge on port 443. Let's Encrypt can not and never will issue certificates for local only domain names.
For non-public domains you can only use self-signed certificates or set up your own (internal) CA.