I don't know if that's intentional or a problem but I was doing some much older openssl s_client testing for a legacy system against https://valid-isrgrootx2.letsencrypt.org/ and I noticed it would provide the X1 chain because I forgot to include SNI.
Thanks for the report. That site and several others are hosted by the same webserver on a single IPv4 address, so it relies on SNI/ALPN to select the correct chain to send.
We'll talk internally about considering acquiring some additional IPv4 addresses.
Np. I believe badssl.com does the same with the same IP address and using SNI for different certs, but with the TLS protocol tests it uses different ports, so that might be an option too instead of multiple IP addresses.
Only other thing that I thought would be nice was test pages for cross-signed roots vs. not cross-signed roots, or whichever combos of LE chains could reasonably configured. Such as the upcoming DST Root CA X3 switch.
Others could be X2 issuer as X1 and X2 self-signed, less so would be testing the backup intermediates R4 and E2.
You don't necessarily need extra IPv4 addresses, you can also just not answer to non-SNI requests (which should be virtually non-existent today, except things like "openssl s_client").
For example with nginx this can be achieved by using ssl_reject_handshake in the default vhost, it will terminate the SSL handshake with "unrecognized name".