[ohyeshedid]

> Purchasing within the country is more secure unless you assume all devices sold within the country are compromised and monitored in real-time which seems unfeasible.

One preinstalled mitm cert, or sketch CA, is within the realm of feasibility.

[Nextgrid]

An MITM cert or compromised CA used to spy on the entire country would require the adversary to be able to capture, store, process and search through all that traffic in near-real-time. Sounds pretty much impossible both from a infrastructure as well as manpower point of view.