I think the parent is saying that if they meant to use the cert only internally (e.g., to monitor employees) then that would arguably not be malicious.
I think the accidental part would be in the scope. I'm not an expert on these things, but they could have intended to create a self signed cert only valid within the scope of their IT, but accidentally created one from their CA.
It would not be malicious. I don't think there's a serious argument here (bearing in mind that in the airless vacuum of a message we can, of course, argue anything).
I don't know that's what happened here, though; there are malicious possible explanations!
I largely agree, although I think there's some part of a slippery slope specifically when it comes to government, since you could argue that a government monitoring its citizens is also not malicious since (in a democratic society) the government derives its mandate from the people.
This isn't too different from the argument that (I believe reasonably) applies for how a company has the right to monitor employees, but I think many people are opposed to even democratic governments monitoring people and would consider such use malicious.
So a government monitoring its employees is one step closer even than a company, since it's the same organization in this case (though again, I think it's largely reasonable for a government to monitor their employees).
https://security.googleblog.com/2013/12/further-improving-di...
https://security.googleblog.com/2015/03/maintaining-digital-...