Right, but if you want people to trust you, you need to be open about what people are trusting you with. Your original answer seemed obfuscatory.

Sorry, not trying to obfuscate anything, hopefully this clarifies: users trust us to hold their ACME account key and we only ask for DNS records prefixed with `_acme-challenge.` to be CNAME delegated.

With this we could issue or revoke a new certificate, but we couldn't impersonate them because we don't control the rest of their DNS.