I'm seeing a lot of confusion here. Equipment generating a self signed certificate doesn't make it a root or even a trusted certificate, tahts why you get browser warnings when you attempt to load the page. Most chromium browsers on windows at least use the default windows certificate store, I think its mostly just firefox thats the hold out and still using its own store. Whatever else happens you are trusting the OS or browser vendor only to only install root certificates that should be trusted. You are then trusting the certificate authorities.
You've always been able to create your own root CA, most large enterprises have a PKI infrastructure of their own, windows domains create certificates that are loaded into your windows certificate store. Most security software now requires the install of a root cert on your machine to peruse and block encrypted bad content. I think its a stretch calling this hidden, you just have to trawl through the certificate store in use.