If you're building an interception service (which this could be) - then yes, you build your own Root CA which you install on devices that you want to intercept.

Legitimate uses of this would be things like government or military departments intercepting traffic from their own network.

As explained elsewhere in this thread, they have a history of working with regimes where they want to intercept the traffic of the general public in countries.

No, it would require them to add their cert on the intended machines under their control. The only reasons they would need the trust of all browsers and OS's are subterfuge and laziness. They should not be globally trusted to issue certificates.