You seriously don't see any difference between 1) Dell installing a cert that applies broadly with plausible deniability (the current situation), and 2) Dell installing a similar cert and explicitly overriding some sort of per-domain debug setting?

Yes, Dell could do anything they want, but the latter situation clearly establishes mens rea[1].

https://en.wikipedia.org/wiki/Mens_rea

The article addresses this explicitly. The point is to reduce the attack surface and limit the damage that is caused by these sorts of 'mistakes'.