If the domain owner is negligent with the access to his domain, this is not the CA’s concern.
Also, a CA is not responsible for the content someone serves. LE signs a statement that the requester had access to a specific hostname at a given time, and this statement is valid for 90 days. That’s it.
If anyone is drawing false conclusions from that regarding the trustworthyness of the content served under that name at any given point in time, that is completely their own problem.
Edit: What should be possible, though, is that certs can be revoked by proving access to the domain, so that the rightful owner can revoke any rogue certs after a compromise.