One headache I've had with internal LE certs is bots abusing the CT logs to attempt probing internal names. As a result, I started requesting wildcard certs from LE. Somehow that feels less secure, because even though I'd probably recognize abuse of the cert - friends and family wouldn't. It's the same reason I don't want less technically adept friends and family having to deal with my own CA. Install one arbitrary cert ... what's the problem with this random, sketch one I downloaded?