This isn't really safe either. Due to the fact that authorizations are re-usable (currently for 30 days), it opens the opportunity for sslforfree.com to just silently* issue an identical certificate under an alternate private key. This is because they control the ACME account key at all times.
(* mitigated by CT logs but most users are not savvy to that)