My understanding, from previous discussion, for the case of key compromise specifically, is that the request needs to be by API and not by email. I guess in the initial post it may depend on exactly what "compromising my DNS or host" means, where like changing the DNS servers listed by the domain registrar but not having access to the original server might be able to get revoked by email, but if an attacker has access to the server with the private key itself then Let's Encrypt isn't obligated to revoke based on an email report? This all is really confusing to me.
In terms of revoking based on holding "all" the names or "any" name, the RFC 8555 spec seems to be saying in section 7.6 that "an account that holds authorizations for all of the identifiers in the certificate" "MUST" be allowed to revoke, but that an implementation might allow other accounts to revoke as well (such as one that just had some of the authorizations for the identifiers).