A lot of browsers have their own root chain, and also now do certificate pinning, so will (IIRC) only accept specifically designated certs for particular sites (doesn't Google/Chrome/Gmail do this?).
Not really, because, you can use on-demand certificate issuance.
Hell, if you really want to, you can even name your certificates the same as existing certificates and the only way to detect the forgery would be to compare the actual public keys (and who does THAT).
I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.
Yeah, just imagine being beholden to some federal statue impropriety (easiest in taxes) and running one of the these vpn organizations...
