[jlgreco]

Without the key, they couldn't read it. Getting a CA on board doesn't give them that (that would only allow them to create an alternative key that software without pinning would accept), they would need to either be given the key by anyone that had it or factor it themselves.

[onestone]

The private key should not be that hard to obtain. Google has thousands of frontend servers, each one of them has to have the SSL private key (at least in memory). Probably at least a hundred people have access to these servers. It's enough to bribe just one of them.