kravietz 🦇 (npub1vz5…qdta) but WebTrust is not being enforced by a government, that's the big difference.
Browsers can (and do!) remove CAs when they misbehave. DigiNotar, Kazakhstan thing, a few others.
If a root CA is mandated by the government (or an international governmental organization such as the EU), this becomes potentially… illegal.
And that's the worry. Browser will might not be allowed to react to misbehaving root CAs.