While I've seen some scripts to "blackhole" so-called bad/suspicious CAs, I have yet to find something that cleans things across the board for different browsers.
Apple's implementation of "Rootless" while useful for other things hasn't helped by denying the ability to remove certs unless one reboots into recovery and does "csrutil disable".
Apple's implementation of "Rootless" while useful for other things hasn't helped by denying the ability to remove certs unless one reboots into recovery and does "csrutil disable".