One thing I totally dislike with CT is that literally everybody can see all the subdomains that my certificate is valid for (esp. LetsEncrypt), but also for cases where your "normal" wildcard-cert does not work - e.g. .foo.de is covered, but because wildcards dont go beyond 1 level, .bar.foo.de is not covered, and so everyone can see that there is one (or more) subdomains at bar.foo.de.
Let's assume an attacker finds a RCE in JIRA, Confluence or Gitlab... now everything the attacker has to do to find a list of candidates is to run a simple grep -i gitlab|jira|confluence|whatever on the CT logs, while he'd have to go the brute-force route before CT.
But more generally, you should never expose Confluence etc to the greater internet. That's just asking for trouble. It will find you, greppable hostname or not.
Soooo, in most circumstances these products are set to be allowed to be crawled by robots for search engines. I think it’d be a hell of a lot more accurate and powerful to use Google with keywords (like powered by lines) than say have to get into possibly vague hostnames (like docs, bugs, issues, git etc).
What you describe is called "Security by Obscurity" and it's not a good security mechanism. It is only applicable only after other type of defenses has been put in place.
Let's assume an attacker finds a RCE in JIRA, Confluence or Gitlab... now everything the attacker has to do to find a list of candidates is to run a simple grep -i gitlab|jira|confluence|whatever on the CT logs, while he'd have to go the brute-force route before CT.