If you are willing to only accept SNI enabled clients (the vast majority nowadays), you can achieve the same by having one cert issued per subdomain, then configuring the web server/reverse proxy to use them.

There are a few existing Nginx configs for that (search for "nginx dynamic ssl cert").

I think there are other problems for doing this for Sandstorm. One is the delay when starting to use a new hostname (right now Let's Encrypt might take around 20 seconds to issue a new hostname, which may well increase to the originally-predicted one minute eventually), while another is that all Let's Encrypt certificates are published, so if you really want the hostname to be completely unknown to an attacker, the individual Let's Encrypt certs wouldn't work.

Anyway, Sandstorm developers told me that they wouldn't plan on using Let's Encrypt while it doesn't offer wildcards, so I think we are missing out on supporting this use case.

Certs are published in certificate transparency logs, which would make the hostnames public.

Any level of reliance on hostnames being secret seems like a very poor design decision.

It's a mitigation strategy for other bugs, not a first-line defense. Read the doc before passing judgment.