This is essentially correct. By the Mozilla Root Program Requirements, "Section 4.9.12 of a CA's CP/CPS MUST clearly specify the methods that parties may use to demonstrate private key compromise." Our CPS does not obligate us to accept a key compromise report consisting of a CSR signed by the supposedly-compromised private key emailed to cert-prob-reports@.
We of course may revoke the cert anyway. Our Subscriber Agreement states that "ISRG will determine, in its sole discretion, whether to revoke Your Certificate." And if you email the private key to us directly, then of course we would be obligated to revoke, as having the key in our possession is incontrovertible demonstration of key compromise. But again: please do not do these things. Use the ACME API to revoke certs, both for key compromise and otherwise, because we currently have active certs for approximately 200 million private keys and email and manual revocation do not scale.