> Can't individuals (on their local systems) just blacklist those root CAs independently of the browsers?

The problem (for me at least) is deciding which of the 200-odd roots I want to distrust. If a root has a name that I can't decipher because it's in foreign, that's easy. But most roots have cryptic names, and there's no standard way of finding out who operates a given root, who audits it, or who that root is allowed to issue certs for.

Perhaps there's a market for an open-source root-store editor, that annotates each root with a plain-language description, including stuff like how many certs it has issued, and how many frauds and cock-ups it's been responsible for.

Most people never change defaults, this is for mass surveillance and repression. Its not about some specific activists, for those they hire foreign private security firms and they are using 0-days anyway.