It has been my experience that people actually have no clue what they're signing up for. In a few reddit conversations today, I found people saying things like "sure they can see what websites I'm connected to, but my important information is encrypted, so I don't really mind". Sorry mate, they can see that too.
Encrypted data can be read if you install a root CA, which is what the Facebook app does, but the Google version does not appear to do that.
There’s an “enterprise certificate”—installing the enterprise certificate allows you to side-load applications. This is relatively benign. Both Facebook and Google do this, in both cases apparently a violation of Apple policy.
There’s a “root certificate”—installing the root certificate allows you to do MitM attacks and read encrypted traffic like messages, bank passwords, etc. The Facebook app appears to do this and I would characterize this reckless, irresponsible, and unambiguously unethical.
