…unless you use one of the many alternative clients that don’t run as root. What’s the next red herring?
Edit: Unless it’s going to use an existing CSR, the client needs to be able to read your private key, which ordinarily should have very restrictive permissions (usually owned by root, and readable only by owner). For this configuration, the client would need to run as root. You could create a group (e.g., “letsencrypt”), with only root and letsencrypt as users, make the private key readable by that group, and run the client as that user; in that case the client wouldn’t need root permissions. Or you could create the CSR once as root, and allow the client to submit that. In that case, the client only needs to read the CSR, which doesn’t contain the private key.
The other permissions needed depend on the validation mechanism you’re using. For http-01 auth (probably the simplest to complete), the client needs to be able to write to whatever directory appears as http://yourserver/.well-known/acme-challenge/. For DNS, it somehow needs to be able to update your DNS entries (if your DNS provider has an API, this can be simple; otherwise it may require manual intervention).
But really, I think we’ve had this conversation already, in this very thread. Your complaint is that the 90-day lifetime makes manual renewal a PITA. My observation is that the LE team doesn’t care–their focus is on automated issuance and renewal, and they aren’t particularly interested in dealing with that manually. You keep repeating that concern in slightly different ways as though it’s something new, but it isn’t–the LE team is aware that this lifetime makes manual issuance and renewal inconvenient, and they clearly don’t care. Or, at least, they don’t care enough to change it for that reason.