Anyone along the route between LE and chase.com can possibly get a certificate from LE. For example, if you have access to a chase.com firewall or load balancer and can redirect traffic for a minute you could get a DV certificate.
The thing is, TLS certificates are a "weakest link" system. Even if chase.com is buying EV certificates, a bad actor can still get a DV certificate. You can mitigate that a bit by using a CAA record in DNS, but AFAIK there's no way to specify anything like a policy identifier (which indicates the type of certificate) in a CAA record. The best you get is the ability to limit issuance to a specific issuer.
There could be _some_ value to using a CA like DigiCert if you use a CAA record that limits certificate issuance to them only. Since they don't offer DV certificates you reduce the risk of a MITM using HTTP to get a DV certificate for your domain. You'd also want to reconcile every certificate issued to make sure they're legitimate requests.
The thing is, TLS certificates are a "weakest link" system. Even if chase.com is buying EV certificates, a bad actor can still get a DV certificate. You can mitigate that a bit by using a CAA record in DNS, but AFAIK there's no way to specify anything like a policy identifier (which indicates the type of certificate) in a CAA record. The best you get is the ability to limit issuance to a specific issuer.
There could be _some_ value to using a CA like DigiCert if you use a CAA record that limits certificate issuance to them only. Since they don't offer DV certificates you reduce the risk of a MITM using HTTP to get a DV certificate for your domain. You'd also want to reconcile every certificate issued to make sure they're legitimate requests.