Let's Encrypt uses "multiperspective validation" to prevent a single backbone router or backbone network from being able to do this attack in many cases.
This doesn't help much if the attacker is sufficiently close on the network to the target, or if the attacker can perform a successful wide-scale BGP spoofing attack.
I'm not sure if that will reassure you, since it's not a complete mitigation in all cases, but the multiperspective validation was explicitly created in response to exactly this kind of concern about attacks on, or by, ISPs!
This doesn't help much if the attacker is sufficiently close on the network to the target, or if the attacker can perform a successful wide-scale BGP spoofing attack.
I'm not sure if that will reassure you, since it's not a complete mitigation in all cases, but the multiperspective validation was explicitly created in response to exactly this kind of concern about attacks on, or by, ISPs!