[geofft]

Not obvious to me at all. I would say that believing you can manually verify hashes in a trustworthy way is incompetent. Where do you get the hashes to compare against from?

[lixtra]

You get the hashes you trust from the counterparty that you trust. I.e. your bank could print it everywhere.

It’s not less obvious than just trusting your browser vendor.

EDIT: Also note that in the presented approach you can still trust some root CAs. It’s just that the user has to do it explicitly.