If you are on an untrusted device (eg. someone else could have hacked the root cert store in the OS/browser), all bets are off: they could have also just hacked the browser to drop any and all warnings and to always display a green padlock icon.

If you are talking about someone else hacking your machine, well, then it's pretty much the same: they can get most stuff by adding keyloggers, screen recorders and just scraping your disk for useful data.

If you are on a trusted device, you can "hack" the root cert store all you want to add root certificates you trust. As long as you trust them, no trust has been lost.

Root certificates are not really "centralized": they are issued by different CAs, and different browsers trust different root CAs too, and it was even more prominent in the past where you had some certs "work" in only some browsers. Still, there are multiple recognised attack vectors there as well (each individual CA, their certificate issuing servers which have access to the root or intermediate signing cert, browsers and OSes and their trusted-CA components...), and the big difference is that the attack vectors are known and heavily monitored.

PGP/GPG keyrings were basically the same approach without the root certificates, and the (in)famous signing parties did not bring a trust level that is ultimately needed on the internet today. I would love to see a development in that direction (one could say it was an early consensus-building approach on who to trust), but we are not there yet.

It certainly is your choice to how you want to protect yourself and your web site visitors, and it's your web site visitors' choice whether they want to trust you with their data (for instance, I personally would recommend you to set up a self-signed cert and add that root cert to your keyring for services that you plan to only access yourself through untrusted networks).

Except that most people won't understand where the risks are in either approach, and that's half the battle.