Trusting root certs is a lot less worrying with the advent of certificate transparency. It's now very noisy if a CA issues a cert for something like google.com, and smaller sites can get notifications about cert issuances for their domains from various free alerting services.