If I understand correctly, they can only spy on you if they have full access to your traffic, including the ability to modify it, in order to carry out a MITM attack.
You've chosen a wrong place to disinform. Tech people understand that having russian CA certificates installed allows russia to MITM all your traffic, if they can access it.