I was going to migrate over to ZeroSSL, but there were red flags in the form of missing documentation that you would expect from a CA, like what is the chain of trust for certificates that are being issued? If I have to issue myself a certificate to check which CA is being used to sign the cert, that doesn't feel right.
"Buypass Class 3 Root CA", which appears to be the root certificate they currently use, is present for all listed iOS versions (7+), which seems like a good sign. Let's Encrypt's "ISRG Root X1" is present in iOS 10+.
Similar lists for Android would be wonderful but probably impossible to compile due to ecosystem fragmentation. I guess there is no caniuse.com for root certificates.
I suspect there is no source that tracks exactly what's trusted on a large range of devices. Perhaps somebody should maintain this information, although it seems like a really thankless volunteer task, I'm really interested in such stuff and still it makes me feel tired just thinking about it.
There aren't degrees of trust in the system, but it is common for more sophisticated systems to have conditional or constrained trust. For example https://wiki.mozilla.org/CA/Additional_Trust_Changes or Microsoft's "NotBefore" constraint in newer versions of their operating system (not to be confused with the "notBefore" parameter in an X.509 certificate itself).
I was going to migrate over to ZeroSSL, but there were red flags in the form of missing documentation that you would expect from a CA, like what is the chain of trust for certificates that are being issued? If I have to issue myself a certificate to check which CA is being used to sign the cert, that doesn't feel right.