[iso1210]

You can use name constraints on the CA, but they are a bit hit and miss when it comes to client support.

For a local CA with the CA only on one machine you're perhaps OK if you are careful, but once you share the server with a couple of collegues you are potentially into a world of hurt.

On OSX you can choose "Always Trust" or "Never Trust" for various purposes (code signing, SSL, EAP, etc).

Why can't I have "Ask first time", or "Trust only for specific domains"

Same with built in ones. That "Hong Kong Post" root CA raises some eyebrows with me, I'd love to set that to "Ask first time" on it.