I’m no lawyer but Letsencrypt being US based I’d guess it is susceptible to the US gov walking in with a demand for the keys and giving Letsencrypt a gag order at the same time.
Like what happened with Lavabit: https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order
Your browser trusts dozens of certificate authorities. Any single one of them could issue a valid certificate for your website.
You are already protected, because browsers now require SCTs to be embedded in all trusted certificates, as part of certificate transparency. Read this: https://www.certificate-transparency.org/how-ct-works . This is a much stronger, cryptographically-based protection, unlike a warrant canary, which nobody knows how to interpret anyway, most of the time.
If the US government wants to start using Let’s Encrypt’s CA keys to create unauthorized certificates for all your domains, the certificates would still need to show up in certificate transparency logs. That means, you can catch them in the act by using something like https://sslmate.com/certspotter/ . What’s more, this protects you from the compromise of all CAs, not just Let’s Encrypt.
Please take a look at the ISRG legal transparency reports:
These publicly describe the amount and kind of legal process that ISRG is presented with by governments.
(@_az’s and @JuergenAuer’s answers are also helpful—all Let’s Encrypt-issued certificates are publicly disclosed in a place outside of ISRG’s control, and Let’s Encrypt never knows subscribers’ private keys.)