This is a great tip. You can also do this with a CNAME in some cases, right?
Can we maybe make a new page for in Documentation - Let's Encrypt for some form of "I can't allow incoming connections from the whole world"? Maybe especially with the recent changes, some form of this seems to be a pretty frequently-asked question. I'll make a little draft.