Is there such a thing as a "CA certificate restricted to signing subdomains of a certain domain"? That seems like it might be a useful piece in the puzzle: if LE could issue those (with the same validation as for wildcard certificates), then you could make your own (valid) certificates for your devices, without them appearing in the transparency logs. That may seem a bit dangerous, but it's not really any more dangerous than a wildcard certificate in the first place. And there are still downsides - but it might be a good fit in quite a few cases. If it's possible 😉