Unsecured fresh install states that rely on you signing in before an attacker does were always a horrible idea. It's been a welcome change on the Linux side where Linux distros can install with your SSH key and details preloaded so password login is always disabled.

These PHP apps need to change so you first boot the app with credentials so the app is secured at all moments.

It's not just Let's Encrypt, right? CT is a requirement for all Certificate Authorities nowadays. You can just look at the certificate of www.google.com and see that it has been published to two CT logs (Google's and Sectigo's)

That may be related, but it's not what happened here. Wildcard-cert and all.

Why would you care that your hostname on a local only domain is published to the world if it is not reachable from outside? Publicly available hosts are alread published to the world anyway through DNS.

LetsEncrypt doesn't make a difference at all.

> the Internet is a bad place

FWIW - it’s made of people

I like only getting *.domain for this reason. No expectation of hiding the domain but if they want to figure out where other things are hosted they'll have to guess.

> If you use LetsEncrypt for ssl certs (which you should)

You meant you shouldn't right? Partially exactly for the reasons you stated later in the same sentence.