Looks like they can refuse to issue you a certificate:
>"ISRG may, in its sole discretion, refuse to grant Your request for a Let’s Encrypt Certificate, including for any lawful reason stated or not stated in this Agreement."
>"You also acknowledge and accept that ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that [...]
(v) You have violated any applicable law, agreement (including this Agreement), or other obligation;
(vi) Your Certificate is being used, or has been used, to enable any criminal activity (such as phishing attacks, fraud or the distribution of malware);
(ix) ISRG is legally required to revoke Your Certificate pursuant to a valid court order issued by a court of competent jurisdiction;
(x) this Agreement has terminated; or
(xi) there are other reasonable and lawful grounds for revocation
"
OK, so I was at least somewhat wrong, since presumably (xi) is the means-what-you-want clause.
Refusing to grant the initial cert. seems unlikely for a new organization, so revocation is the key problem. And indeed (xi) is a problem there.
I wonder if LE really thinks this way. Their primary role is to say "foobar has certified that they really are foobar". I wonder how suspectible they are to the sorts of considerations that have driven FANGT to take the steps that they did.
It's likely more of a failsafe. All CA's, registrars, DNS providers, CDN's and hosting providers have some variant of that wording so that they can terminate your account without facing legal recourse. It's easy to miss it, some AUP's are massive and default to tiny font.
