Mozilla and its foundation being US based, they can be the target of a gag order, making them liable if they disclose/talk about/hint of "fake" root cert added for the sake of an agency.
Once you start playing with gag orders, secret courts and whatnot, all kind of fun stuff become possible.
Alleged liability. Many seem to think that those actions of the US government are not legally allowed. Most likely there is no real liability for not following a gag order as speech is pretty unambiguously protected from being regulated or circumscribed by the US government.
Except corrupting the source code from which packages are built. At least without anyone outside noticing because the code is public and I bet foreign intelligence agencies that do not trust Microsoft to make IE secure for them are monitoring the change stream.
Once you start playing with gag orders, secret courts and whatnot, all kind of fun stuff become possible.