Comment by charcircuit

In your example certbot is given permission to write to /var/www/.well-known/acme-challenge and to write certs somewhere. Your web server also has permission to read those files too.

There is no need for the acme client and web server to run as the same user. For reloads the certbot user can be given permission to just invoke the reload command / signal directly. There does not need to be sudo in between them.