If there's a competent admin or it's just entirely autopilot for some huge generic host you'll see a very boring pattern where there's a cert and then as it gets close to expiring a new cert is issued, e.g. 4-5 days before it expires, or on a Tuesday at about 8am, or whatever - and sure enough you'll see the same pattern in the cert presented when you access their web site.

In these cases it's really obvious if there's anything weird going on. You're correct that we can't know, as a third party why there's something weird. Maybe the server was being replaced and the new server just installed an ACME client and got itself a new cert last Tuesday even though the previous one doesn't expire for weeks. But if there was nothing we don't even need to ask anybody what's up - nothing is.

IMNSHO The statistics don't really work for targeted attacks. The odds you'll get away with it are unknowable and you only have to get unlucky once.