bad journalism and self-centered experts. That’s all I see
It was always intended that OEMs and browser distributors should insert their own trust points into the windows trust stores.
If Sprint licensed the original netscape browser and tune things up so it was easy to dial up Spring ISP internet access points, it was absolutely intended that Spring would also tune up the root list for SSL – adding and removing entries as they saw fit, for their value-added network. If they wished to offer an SSL CONNECT Proxy service (to only those consumer who dialed up internet via sprint ISP) they were absolutely entitled and expected to offer a CONNECT service, with their own trusted roots.
This foofoo is all about nothing, with an OEM doing what its supposed to be doing _ selecting trusted drivers, vetting them, and this includes “CAs”.
If you “buy” a corporate laptop, it comes with the enterprise root too, all setup for MITM and spying on you (the employee) by the evil Enterprise. Whether iuts OEM or Enterprise, the model is the same. You trust the source of the hardware to vet things, and they will probably vet themselves highly – mostly so they can spy or otherwise add value (like shove ads in your face).