They used yo. Now most governments just have their own "proper" CAs which are included by default in web browsers. If you look at the default CA list of Firefox or Chrome you will see most of them are public agencies.
I think Certificate transparency checks mean you should be able to tell if the certificate was fraudulently issued for a domain that is not with the CA. (This circumvents that.)
In your scenario, if the domains CA is the government CA anyway, then it's fair game. Most domains' CA will be cloudflare or whatever not the government CA.
In your scenario, if the domains CA is the government CA anyway, then it's fair game. Most domains' CA will be cloudflare or whatever not the government CA.