Alright so I’ve written a small script to change the LE permissions to something more sensible using inotify to watch for cert changes. You should probably run it as a daemon somehow (screen/tmux).
Disclaimer: Use at your own risk. I give no guarantees this won’t melt your CPU, kill your dog, or delete your entire filesystem, nor will I accept any responsibility for any problems caused by the use of this script. You are expected to be able to read and understand bash scripts yourself to determine if this script could break anything on your system, and be able to fix any problems related to it’s use.
By default, files are protected from anyone but root (as normal), but this setup allows you to change group ownership of /etc/letsencrypt/archive/domain.com to grant read access for a single domain (instead of the entire cert folder) to a particular group.
In other words, your permissions should look something like this.