This is why self hosted to me means actually running it on my own hardware in a location I have at least some control of physical access.

That said, an ISP could perform the same attack on a server hosted in your home using the HTTP-01 ACME challenge, so really no one is safe.

HSTS+certificate pinning, and monitoring new certificates issued for your domains using Certificate Transparency (crt.sh can be used to view these logs) is probably the only way to catch this kind of thing.

Yes. All hosting providers will comply with requests from law enforcement.

Signal and proton mail were forced to hand out information as well in the past. All you can do is choose which provider you distrust the least.