I trust the WebPKI infra quite a bit. Cert validation is publicly logged, CAs that do nefarious things get booted from browser trust stores.

I can set which CAs can sign certs for my domains, and monitor if any are issued that I didn't expect.