Malakai Android 6 removed trusting user installed certificates by default for apps. Apps targeting Android 6 or later (API 23 or later) don't trust them unless they explicitly opt into it.
https://developer.android.com/privacy-and-security/security-config#CustomTrust
It's not even possible to install an app below API 23 without using developer options, enabling ADB, authorizing access from a computer and passing a special parameter to adb install to ignore the legacy API level.
Before Android 11, it was possible for apps to request to add a root certificate. This was the same UI as manually adding one with a scary prompt and authentication with lock method required. Android 11 removed the ability for apps to trigger this process.
It's essentially a non-issue at this point beyond the questionable status quo of browsers still allowing adding root certificates which aren't scoped to specific sites. It's a browser app issue rather than an OS issue. We can consider changing it for Vanadium but it's a low priority since the user has to go out of the way to do this to themselves. There are also plenty of sketchy WebPKI roots and WebPKI desperately needs to be stripped down and replaced.