@azurit, as a result of this you could do something to stop potential malware from creating things under the path .well-known/acme-challenge – indeed, for other reasons it might be a good idea to restrict serving other things under .well-known, but you may want to discuss this with your users because some sites might have legitimate reasons to serve other .well-known resources.
If you allow users to load their own TLS certs for particular domains, they could also potentially complete our other challenge type, DVSNI, so you may want to consider restricting that in addition to the verification files.