Even as the author of a website ACME client that was created to replace ZeroSSL and SSLforfree (and does use its own ACME account key when generating all certificates), I would be remiss in not referencing the following excellent analysis:
My client ONLY accepts CSRs as I do not believe it realistic for anyone to (continually) review locally-operating code to ensure that private keys are not stolen. Honestly though, how many people (@_az and @Osiris here aside) actually review any client's code before using it? At least with restriction to a CSR, the client has zero exposure to your private keys. Trust lines...
The explicit risks of using someone else's ACME account key:
- Potentially not receiving email reminders (does the CSR email override here, @_az, outside of the email for the ACME account being updated?)
- Granting carte blanche to the ACME account key holder to generate additional certificates for any authorized domain names within 30 days (This is usually the case)
- Granting carte blanche to the ACME account key holder to revoke any generated certificates (I believe this does not require reauthorization, but audit me here please, @_az)
A reasonable concern. 
The CA signature enables verification of the authenticity of a certificate to prevent tampering or spoofing.
If you don't trust an ACME client with handling your certificate, you can always:
- Download your certificate:
https://crt.sh - Download the CA intermediate certificate:
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem - Append the intermediate certificate to your certificate to create
fullchain.pem.