Excellent summary, including bits I was obliviously unaware of. Many thanks!

BTW/FWIW, if you don't want to trust browser engineers (or, in the case of Chrome and Edge on Windows, Microsoft engineers) to keep up with this and immediately remove CAs that no longer are transparently trustworthy, there is a way to 'blacklist' those CAs. How-to here.

I'd love it if this got automated, and was a subscribable, like SNORT. As far as who to trust for that, I'd certainly trust the EFF for a list of suspect CAs.