Isn't adding new root certificates basically the same attack vector as just turning off or routing around your SSL? Who can mess with your certificate store who can't also just run whatever code on your machine?