The CAs were not included in “in the middle”.
Obviously we must “trust” someone/somewhere.
The point is to minimize the amount of required trusts and to be able to use public systems just as we would use trusted systems.
Encryption accomplishes this everyday with TLS and VPN, etc.
Like some systems require two-factor auth and do so quite simply with SMS text messaging.
LE could allow one to add an additional two-factor auth.
Or simply require the auth token to be itself encrypted with the account key.
The token has no legible text, no real visible pattern to match - it would take a true brute force attack to crack the account key before anyone could use it elsewhere.
Here is the one-time specific cleartext token.
Now encrypt it and store it in any public DNS (that can be CNAMEd to any other public DNS).
Neither DNS system is able to exploit you.