I think I can see where they're going with it, but it is a bit hard to write out

Say I set up my favorite service in house, and said service has a client app. If I create my own DNS at home and point the client to the entry, and the service is running an encrypted connection with a self signed cert it can give the client app fits for being untrusted.

Compare that to putting NPM in front of the app, using it to get a LetsEncrypt cert using the DNS record option (no need to have LE reach the service publicly) and now you have a trusted cert signed by a public CA for the client app to connect to.

I actually do the same for a couple internal things that I want the local traffic secured because I don't want creds to be sniffable on the wire, but they're not public facing. I already have a domain for other public things so it doesn't cost anything extra to do it this way.