The CAs being centralized is not a problem. They do the verification and issue the certificate. The privacy concern stems from using the certificate and CAs are not involved in that process.
Yes you do have to trust someone and the CA is the trusted entity for doing the verification, but once they do the verification and in effect encode that verification onto a certificate, their role is done.
Yes you do have to trust someone and the CA is the trusted entity for doing the verification, but once they do the verification and in effect encode that verification onto a certificate, their role is done.