If someone else logs a certificate for one of my domains I am notified and can have it revoked.

How are you following this in practice, especially if every service has its own certificate that it rotates every two months via letsencrypt or similar?

It's not clear to me how you know who asked for the certificate in the log. Do you somehow compile the private keys of all entities that are allowed to request certificates and compare that to the CTL?

I only have about a two dozen certs so having a notification a week is managable not had to think how to scale it.