I think it is a legitimate concern in both directions. Who should users trust more: Mozilla or their local government? Some countries have tried to use local PKI to spy on citizens. Mozilla has taken steps in the past to prevent abuse. On the other hand, can Mozilla accept an Iranian CA even if they can match the root program's requirements?
Amusingly, Mozilla rejected the US government's request to add the federal PKI to the root store.
Trust in government is typically a lot higher in EU than most other parts of the world, so you can't really compare. I know Americans often wants private companies to protect them from governments, but in EU people typically wants their government to protect them from private companies. I trust my government way more than I trust Mozilla, Google, Microsoft and Apple combined, it isn't even close.
Mozilla has identified issues with CAs that are part of eIDAS. The severity of these issues can be debated, but the nice part of Mozilla's root program is that these are publicly debated. For example, the community identified repeated issues with the CA Certinomis and after failures to improve they were distrusted. Is it a good thing that the EU says that doesn't matter and Certinomis certs must be trusted as part of eIDAS?
Mozilla argues in their paper that once governments in one part of the world start forcing browsers include root certificates, governments in other parts of the world will start doing the same shortly after. You might trust your government more, but you certainly wouldn't trust arbitrary governments more.
Furthermore, I have seen nothing wrong in mozilla's stewardship of the root certificate program in the decades it's been running, whereas mozilla points to deficiencies in the EU's certificate programs. This is to be expected since running a root store is not one of the EU's specialties. I would trust that government most that defers to private companies in areas where they lack expertise.
> Who should users trust more: Mozilla or their local government?
Is that really a question to be taken seriously? One is a private organization, completely unaccounted for and in a foreign jurisdiction, who sets their own rules and follows up on themselves.
The other is accountable and audited by independent auditors in a system which upholds separation of power and keeps independent media?
(Just to clarify: Neither Mozilla or anyone else should accept QWAC or any other standard in the face of legitimate concerns, of course. That's not what trust means.)
When it comes to international relations I would depend on (not exactly trust, but close enough) my government more than Mozilla. When it comes to browser implementation topics I trust Mozilla more than any government.
There is nothing intrinsic to any system of government that would make any of them good at solving technical issues on their own.
Amusingly, Mozilla rejected the US government's request to add the federal PKI to the root store.