Prefer to avoid snaps too. First time I'm hearing of dehydrated. I've dabbled a bit with acme.sh too and it's good (can do ECC certs and it's a single shell script).
I've stopped using Ubuntu in favour of good old Debian due to Canonical foisting snaps. I know you can remove snapd but the whole Ubuntu ecosystem is pivoting towards them.
What does certbot have to do with snaps..? You have all the options of container, build from source, download a binary release, get it from apt (or what have you) repos.
certbot does not officially support binary packages on Linux, so you have three choices for supported releases: snap, docker, or pip (best effort). If I’m not already using docker for the site (spoiler: I’m not) then why the fuck would I install docker if I’m not willing to install snap?
I guess the installation via pip is only best effort in the sense that they can't support every platform that pip is able to run on. For example their dependency on the "cryptography" library might cause problems on platforms which can't get a pre-compiled version from PyPi and have to built it from source.
If you are on x86 and use a distribution with glibc I wouldn't expect any problems.
I've had no issues installing it from debian apt repos on arm64 and amd64... I mean, if you don't want to use certbot and prefer something else, fine, but I can't see how docker/pip/snaps are the only options.
Not to completely minimize it, but that says local attacker, not remote attacker. So someone would still have to gain access to the system in question in the first place.
I'll second the suggestion for dehydrated.