Having designed a system that operates exactly as you’ve proscribed, I would be very curious as to how I can generate a new certificate for a domain I don’t control without control to prove ownership. Even if the rightful controller of the domain is lazy or naive in not removing the DNT TXT records, validation files, or python proof, I would only be able to create a certificate that their current domain validations would allow if the validation tokens didn’t change, which they ALWAYS do after certificate issuance. Even failing a validation challenge results in the token changing for that validation with the old token being worthless. I’ve tested this myself HUNDREDS of times. I’m sorry my friend, but I see NO foundation for your fear from a security standpoint.
From my analysis from a security standpoint, the account key signature only serves the purpose of preventing interference by a man-in-the-middle during the issuance process. After the certificate is issued, the challenge tokens, where ALL of the power of abuse reside, are invalidated thus rendering any information from the session completely powerless. The constant use of nonces issued by Let’s Encrypt for every exchange ensure that.
Therefore, if the scenario you’ve described was the reason why Let’s Encrypt removed recommendation for online clients, I would highly advise Let’s Encrypt to get better security analysts. I suspect that the ACTUAL reason has to do with control and data gathering. By the way, the ONLY emails I get from Let’s Encrypt based on an account email regarding renewal reminders are for OTHER PEOPLE’S ACCOUNTS who have incorrectly used an email address for one of my domains, thus proving that Let’s Encrypt never verifies ownership of account emails.