Users add their own domains and subdomains into accounts on a webhost provider.
Allowed are sub/domains that are hostet by the webhoster and by external domainhoster.
Along, the webhoster offers free webspace with free subdomain.
The webhoster creates Let's encrypt certs for all this domains and subdomains.
The users have no access to the privat keys (i think).
The question point: The certs are multidomain certs with domains and subdomains from users AND free subdomains from webhoster. The certs are also mixed with sub/domains from different domain name holder. It is possible, that the common name is a free subdomain.
My question: Have these mixed multidomain certs a security risk? Because, the webhoster has access to the privat keys, but he has access to more than that. The question about the seriousness is an another side question here. The names of all sub/domains are listet in cert info pages and are findable over internet search engines. Unseriously webhoster free subdomain names are over this connected with the users own sub/domains.
The webhoster is in a position of power and trust because they are in control of the server where these domains point.
The private key to the certificate doesn't give the webhoster the ability to do anything that they can't already do.
If the webhoster wanted to, they could create new certificates with new private keys for any of these domains, without the user's consent.
This is the nature of the trust relationship between the user and the webhoster.
I think many users would prefer that the webhoster used one individual certificate per domain.
(Personal opinion here) I think it's probably a bit unprofessional for a webhoster to use multi-domain certificates shared between different users/tenants.
However, it's certainly something that happens at some providers. Cloudflare used to do it, and Firebase either do or used to do it. They are both large providers.
Any admin level access is a security risk.
If the hoster has such access [typical on shared hosting - where the hoster is the admin], then that is part of the deal you signed up for.
Talk with the hoster.
Maybe they can issue individual certs - one for each "customer".