The default behavior is that certbot renew tries to renew any certificates that expire in less than 30 days, and no other certificates. Therefore, it's safe (and recommended) to run this command very frequently. We recommend running certbot renew twice per day, every day, and not scheduling it to run only on specific days. It will result in frequent renewal attempts during the 30-day expiry window if no renewal has succeeded, and once a renewal has succeeded, no renewal attempts on that certificate thereafter until the following 30-day expiry window.
You can change this interval with the renew_before_expiry option in the configuration file in /etc/letsencrypt/renewal associated with an individual certificate. For example, you could set renew_before_expiry = 60 days so that Certbot attempts to renew certificates when they're two months from expiry rather than one month from expiry. Anything up to the extreme of renew_before_expiry = 82 days is probably safe with respect to our rate limits as long as you only have a small number of different certificates. This would mean that Certbot would try to renew certificates very frequently, but would pause for about a week after each successful renewal, which is enough time to avoid running into our rate limits.
If you're certain that you don't want to have a port 80 listener the rest of the time, you could simply make your regular web server not listen on port 80, and then use -a standalone in Certbot (authenticator = standalone in the renewal configuration file). In that case, Certbot will create its own port 80 listener which will only exist during actual renewal attempts, typically for less than one minute every 60 days. This is only appropriate on systems where no other software is normally listening on port 80.
We're really sorry about this configuration change being necessary, but I think that there ought to be some workaround that will work for your environment. As you noted, reluctance to use port 80 for a reason other than an ISP firewall is relatively uncommon.
If you don't have an easy way to get a Certbot DNS plugin for your particular DNS provider but you want to use the DNS challenge instead of ever using port 80, you might want to try acme.sh (https://acme.sh/), which supports a lot of DNS providers out-of-the-box.