For instance how can I use my *.domain.com SSL certs and NPM to route containers to a subdomain without exposing them? The main domain is exposed.
I don’t really understand what you’re getting at. The answer to OPs question is to use letsencrypt like everyone else.
They literally didn’t mention LE at all.
SSL is not LetsEncrypt, if you didn’t know.