"There are many different TLS certificate providers from different CA roots."
- Yes but there are only a handful of browsers and they preselect the default CA providers. The average user is not going to be able to configure custom CAs and will effectively be denied service should those pre-selected CAs go rogue.