You can delegate authentication via a permanent DNS record to another DNS hierarchy and give your certificate software authority to change that for ACME purposes. This fixes both the "My API key is allowed to change anything" problem and the "I can't get an API key for the DNS domains I need certificates for" problem, albeit at the cost of needing that one-time setup to tell ACME where to look in DNS.
To do this you need a CNAME from the _acme_challenge DNS name you're being challenged on, to a DNS name you're going to use for this purpose. It needn't be in the same domain or indeed even the same TLD but of course it does need to be a public DNS name.
Couldn't they just build a DNS responder into the ACME client? That way you can put an NS record delegating _acme_challenge to your application server/web server, so it can reply during validation?
Nobody stops you building an ACME client that does this. However I expect it would mostly accumulate confused bug reports from users who don't know their IP address, or don't even have a public IP address, and certainly can't unblock UDP port 53 on their device.
certbot already has a "stand-alone" authorization mechanism that has all those drawbacks, so doing a similar thing for DNS might not be too terrible...