Ah, you're not talking about issuance. I think you're implying that the browsers blindly copy their trust roots from the linked Salesforce site, and you don't think Salesforce provides suitable tampering protection.

I'm not shocked? The website discusses audit responsibilities quite a bit, which seems like it mitigates tampering concerns. Sure I'd prefer something other than Salesforce too, but I'm not seeing a glaring issue here.