The pentagon takes approach 2. Most people never need to access a .mil anyways, but if you need to work with their office (I had a dealership leasing cars to them needing to use a web portal) then you have to install their cert bundle.
I am unfortunately aware. To make matters worse, the preferred install mechanism is a .exe that adds all of the opaquely named DOD CAs to your machine.
Regardless, this puts you back at a US Government controlled CA being on your machine.