[Muromec]

So does a CA issuing my certificate, but there is some oversight in what they do.

[jeroenhd]

That's different. While your CA can hand out new certificates, it doesn't know your keys (unless you messed up when uploading your CSRs).

CAs have to prove they're not faking certs through the certificate transparency logs, there's no such limitation on Bluesky.

A more apt comparison is a shared host that does certificate management for you. Those are also often considered less secure, of course.