You made a very good investigation on the topic. I agree that a public cert shouldn't be placed into the same folder as CA certs. There is some mention of a weird bug https://serverfault.com/a/840191/442430 Instead I think that both private key and cert should be merged into a one file and placed into /etc/ssl/private/. It looks like there were a lot of discussions but we didn't come to a single agreement about the place to store certs and how to manage them. Please read my proposition here https://github.com/certbot/certbot/issues/1425#issuecomment-1150116062 I'll appreciate any feedback.
Regards, Sergey Ponomarev, stokito.com