“What prevents a state actor with access to your IP from issuing false Lets Encrypt certificates?“
Also there is a difference between being issued a certificate and actually utilizing it (such as a man-in-the-middle attack). Utilizing the issued certificate still requires the associated private key and operating on the domain name the certificate is issued for.
Thus if you have a valid certificate and the government has a bad actor (valid) certificate, so if you were to publish your valid certificate on your website, for all to see, the end user can check that that’s the certificate being used for their connection, if not a bad actor is intercepting the communications.