Let’s Encrypt uses Google’s Safe Browsing API to check if the domain a certificate is request for is known to be malicious. If that’s the case, issuance is blocked. This check is only performed during issuance; there’s no automatic revocation if the domain gets added later on (though renewal will be blocked).
There’s a blacklist for high-profile domains (like paypal.com), but that is more of a defense-in-depth mechanism for potential domain validation vulnerabilities. AFAIK the blacklist consists mostly of *.<blacklisted-label>.<tld>
rules, i.e. something like paypal.com
, paypal.io
, www.paypal.com
would be blocked, but paypal.com.example.com
wouldn’t.
For some more details about Let’s Encrypt’s stance on phishing, see this blog post.