Since Portainer Agent allows for control over the docker socket, it's better not to have it exposed to every container on the network (even if Portainer Agent only allows the first client to connect unless you have an additional secret).
Really, should have three networks:
portainer, for portainer and portainer agent [isolated]
traefik, for traefik and portainer [isolated]
traefik-private, for the cert updater, which doesn't need access to any other containers [not isolated]
Since this has moved off remote hosting and onto internal hosting, having the certs in the repo rather than pushed out to the remote host would be easier. Could grab them in the image or just pull them off github.