CA Roots
And who checks to see that the list of trusted CAs used by the browser is actually a list they agree with?
It's all very well having a green locked padlock symbol, but all it tells the typical user is that one of a list of organisations they've never heard of say that the site being accessed is who they say they are. Malware can be delivered down encrypted connections too, and while Lets Encrypt is a commendable effort, it doesn't actually solve the problem of being sure who you (or your software) can trust.
Securely delivered malware will be coming to a browser near you, soon, if it hasn't already arrived.