gruser634 I feel like this was a premature move from GOS' side.
I read through the back-and-forth on the certificate maintainer forum for both Cheunghwa and Netlock. Personally, based on the communications I saw it isn't clear to me what basis there is for strong confidence in certificates recently issued by those organizations.
Clearly, being a reliable CA is hard. For example, it appears that these days CAs are expected to scale up their incident-response abilities as they scale up the number of customers, and to have plans in place for various mishaps that are plausible (based on mishaps that have occurred with other CAs). So if a CA's response to an issue is "Yeah, the standards may say that we need to resolve an issue of this type in 3 days, but we don't have the infrastructure to handle this event quickly", that sounds like maybe a choice was made to run a business without enough infrastructure investment.
Bad things can happen! For enough money, an employee (or several) can be paid to issue bogus certificates. Or a nation-state or a well-resourced ransomware gang can break in and issue bogus certs. Because these things have already happened, part of being a CA is figuring out how to quickly respond to those things. If it is clear that some organization doesn't have a cleanup plan and isn't working on one then arguably browsers shouldn't be trusting those certificates.
While the approach taken by Chrome and Firefox, namely distrusting only new certificates from those CAs, is a less-disruptive way to exert pressure than distrusting all certificates, it's not clear why it's accurate. A CA that is found now to not have a good response plan doesn't have a good response plan for either old or new certificates. And if this pressure causes them to fix their infrastructure then presumably the fixes will improve handling of incidents related to both old and new certificates. Meanwhile, if there were problems with a CA's pre-issuance verification procedures (which, if I recall correctly, was the case with Cheunghwa), then it's actually completely sensible to distrust old certificates that were issued during a period of insufficient verification.
Because GrapheneOS is focused on security, I'm not surprised that they just yanked the CAs, especially if the "soft deprecation" approach employed by Chrome and Firefox would have required writing a bunch of code.