I'm aware the like of NSA have agreements with various technology providers ... I don't mind the folks at NSA knowing I like certain movies, porn actresses, fancies or whatever kinks I might have as it's of little interest to them ... I would vomit endlessly knowing some commercial interests have scrapped enough PII to start marketing or steering me towards topics it thinks could make a buck out of me and as such, I've dropped in a bit of a deny wall, accidentally use a browser cloudflare hates - sure it makes it hard to navigate the web at times, but I'm ok with that.
On infrastructure level, let me as a user (easily) decide which Root CAs I want to trust. Have websites by default deliver certs that match my region (i.e. a cert from a European Root CA if I'm in Europe).
By itself, this won't do anything (because you will still be using service that utilize US servers, but will be an important step for the safety of the non-US world.
I guess it will be other way round. More services will be run independent of the US and this will result in pressure to also solve the cert issue.