a) you have set up your own internal CA, which key is safely stored on an HSM, with all security measures.
b) you use Let's Encrypt, and they issue you certificates based on DNS validation.
With (b) if malicious party gains control over your DNS server, they can issue themselves a bunch of valid certificates that you may not even know about (unless you watch CT records). With (a) remote attacker barely has a chance. Thus, a self-hosted CA may be beneficial in terms of security.