They also will often install their own trusted root certificate and then MITM all HTTP/HTTPS connections. Often, this MITM will significantly reduce the cryptographic security of the connection over the public internet [1].

[1] https://jhalderm.com/pub/papers/interception-ndss17.pdf