This is well known issue since Ken Thompson’s trusting trust paper and not what am I getting at it
It is degrees of trust . Trust is not absolute , neither is security . Depending on your threat models you have to secure yourself. More transparency improves security does not solve all the problems just makes it costlier for an attacker . If cost outweighs the benefit they will not attempt to do it.
Https does not magically make your communication 100% secure ,however the number of people who can issue a certificate from a comprised root CA or control one is considerably less than the number of people who can monitor your plain text traffic .
It is degrees of trust . Trust is not absolute , neither is security . Depending on your threat models you have to secure yourself. More transparency improves security does not solve all the problems just makes it costlier for an attacker . If cost outweighs the benefit they will not attempt to do it.
Https does not magically make your communication 100% secure ,however the number of people who can issue a certificate from a comprised root CA or control one is considerably less than the number of people who can monitor your plain text traffic .