Agree that we should change those permissions. I’ve bumped it ahead on our roadmap, but feel free to send us a PR for #1473 if you want it to happen quickly 
Aside to OP: it’s also much, much better to symlink to these files rather than copying them out of /etc/letsencrypt, and it’s actually bad to move them out of /etc/letsencrypt, because the autorenewal code we’re working on may use the past keys and certs in that directory to understand what successor certs you’ll need at renewal time.