I think there are a few concerns going on here, one with the general concept of sponsorship of F/OSS, and some with the particular sponsor at issue.
Sponsorship is a mixed blessing. On the one hand, it provides funding, which is helpful for any number of things. On the other hand, it gives the sponsor some degree of explicit or implicit control over what the sponsored project does, not infrequently resulting in tension between what the sponsor wants and what the community wants, and sometimes resulting in the destruction of the sponsored project altogether (See: CentOS).
How big of a concern is this? Well, that depends a lot on the sponsor(s). And unfortunately, ZeroSSL has given cause for some concern:
- They changed, overnight and without warning, from a pretty nice web-based client for Let's Encrypt (leaving aside what a bad idea that is), into issuing "their own" certs (on which, more later)
- At the same time, they moved from being a totally-free service to a mostly-paid service
- "Their own" certs aren't really theirs, they're Sectigo (i.e., Comodo) certs, and Comodo is well established as a bad actor. For any who may be unaware or have forgotten:
- They took part in the general CA FUD against Let's Encrypt, but took it several steps farther.
- They tried to register the trademark for "Let's Encrypt", in an apparent attempt to prevent Let's Encrypt from using their own name--eventually public outcry forced them to back down.
- Their own web browser, for a time, singled out certs from Let's Encrypt, marking sites using those certs as not secure. They eventually updated the code to apply the same warning to any DV cert.
- When called out about about each of these issues, let's just say that their CEO didn't do anything to dispel the idea that they were deliberately spreading FUD.
So I think concern, to a degree, is completely justified. Two pretty major players here (probably the most popular alternative client, and a pretty cool web server) have been sponsored by a company with some questionable history, who also keeps some pretty questionable company. And within a fairly short period of time, both are taking steps to favor that sponsor--over LE in the case of acme.sh, equal with LE in the case of Caddy. This isn't "OMG the sky is falling", but I don't think it requires being a paranoid conspiracy theorist to be a little concerned here.