I suppose it would be trivial for them to issue compromised certificates or record the private key in a targetted attack for a specific domain without anyone noticing.
During normal certificate issuance, they do not generate or see the private key, so they can't compromise the certs they sign for you.
Like any other CA, they do have the technical ability to sign arbitrary other certs, so could issue a cert for MITM. As some other comments show, certificate transparency is starting to reduce this risk.
Like any other CA, they do have the technical ability to sign arbitrary other certs, so could issue a cert for MITM. As some other comments show, certificate transparency is starting to reduce this risk.