> I worry that the CA is somehow compromised (state actor holding private keys, etc).

"Somehow" is doing a lot work in that sentence.

Operationally, there's no difference between the security procedures and requirements that a for-profit or a non-profit CA must adhere to.