This is why self hosted to me means actually running it on my own hardware in a location I have at least some control of physical access.
That said, an ISP could perform the same attack on a server hosted in your home using the HTTP-01 ACME challenge, so really no one is safe.
HSTS+certificate pinning, and monitoring new certificates issued for your domains using Certificate Transparency (crt.sh can be used to view these logs) is probably the only way to catch this kind of thing.
Of course they do, but it isn't the ISP's job to do so. I believe that is the point that the EFF is making here.
Censorship sometimes needs to happen to protect people, but it should be conducted by website owners/platforms and government authorities -- on each end of the information transaction, not in transit by an ISP.
Are CloudFlare, Amazon or Microsoft any better? Google at least take security (if not privacy) very seriously.
In general it seems bad to have any huge profit-driven organisation exercising significant control over open standards, but I do think that Google is lesser than many of the other evils.
I found it much more barebones in my tinkering. It doesn’t seem to support pulling via SSH (and definitely doesn’t support signing commits). Configuration options appear extremely limited, both in documentation and the UI.
It looks nice, but I don’t really see the point to it when Gitea Actions is now a thing. Gitea is a more mature product, and is similarly fast and lightweight.
Edit: s/Gitea/Forgejo. Gitea has moved to a for-profit model since I made this comment.