I'm with you on this. I run my ACME clients as least-privileged standalone applications.

On a machine where you're only running a webserver I suppose having Nginx do it the ACME renewal makes sense.

On many of the machines I support I also need certificates for other services, too. In many cases I also have to distribute the certificate to multiple machines.

I find it easy to manage and troubleshoot a single application handling the ACME process. I can't imagine having multiple logs to review and monitor would be easier.