Any device that is going to last decades, needs the ability to update CAs. Anyone who works with PKI knows this.
So, either they’re incredibly dumb, or they intentionally designed in planned obsolescence. That’s even more damning.
These new authorities only work in apps that opted in, such as browsers, to prevent malicious stalkerware from intercepting traffic. That can pose a problem, but again, apps can package their CA of choice and use certificate pinning to make their devices more secure in the process. Every big app I've tried to introspect has implemented some kind of certificate pinning already.
Disabling certificate authorities has been part of Android since at least Android 4 (maybe Android 3 but practically nobody used that). Disabling certificate authorities applies across all apps that use the default validation mechanism; only adding new certificates has restrictions.
In practice, this means that there are very few apps that actually have a problem with adding new certificate authorities. Google could, in theory, leverage their system level access to disable pre-packaged certificate authorities as well, though I'm not sure if they ever have.
The only apps I've seen problems with were apps for self-hosted services that didn't include the user store opt-in, but for most users it's not much of a problem if you just install the CA manually. Last time this happened, news websites were all over the internet linking to instructions on how to install the Let's Encrypt CA and I bet it'll happen again when the next major CA expires/rolls over. Android 11 made the process of installing CAs quite a bit harder, but it's still possible without any special tools or software.
In practice, by the time this becomes an issue, only old devices with a comparatively small user base are affected if they're affected at all.
Don't get me wrong, I definitely approve of the change, but I can definitely see why Google hasn't bothered with this while there are so many other areas where Android can use some more fixing up.
