The files are only readable as root by virtue of /etc/letsencrypt/archive being 0700.
Those files you mentioned are 0644 (in Cerbot <0.29), it’s true, but they are obscured from unprivileged users by the above directory permission.
Apache/nginx initially load their configuration as the root user and then drop privileges, so they are reading it as root as well. (With the except of when certificates in nginx are loaded via variables, in which case, they are read by the nginx user).
Whether the above is a best practice or not is a bit of a ¯\(ツ)/¯.
It’s a bit of a potential risk if the files are copied outside of the directory, since the protection of archive being 0700 is lost.
There’s some up to date discussion on the matter here: https://github.com/certbot/certbot/issues/7412 . I recommend carefully reading the response by adferrand which explains how things have improved across Certbot versions and can be further improved still.