As @jsha said in that thread, everything certbot gives is only for the server. The client, in order to ensure that it's connecting to the server that it thinks it is, trusts some set of CAs to make assertions that servers are who they say they are. So it loads those CAs' root certificates onto its trust store (those are the cacerts you refer to), and then when a server presents its certificate and chain, the client can verify that the certificate was in fact signed by one of those CAs.
Usually operating systems take care of coming up with a list of trusted CAs for you (one of the most important jobs of an operating system that almost none of the users realize). But if you're building your own operating system then you can either steal one from one of the major vendors (like use your favorite Linux distribution's ca-certificates package, though be aware that it's usually based on Mozilla's list and Mozilla wants people to be clear exactly what their list is intended for), assuming that your system supports having that many trusted roots, or go through the effort of building your own. But as we're saying, either way you need to figure out how you'll regularly update it, as the roots that you should trust do change over time. If it turns out that Let's Encrypt is actually secretly run by a cabal that would accept large amounts of money to issue a certificate to somebody that they shouldn't, then you need to plan how you would switch to some other CA.
(Note: There is no cabal.)