The other alternative is to decide that we are going to do unsafe things and to put it super loudly in the release notes that any sysadmin-configured trust anchors will be blown away. Compared to pkgdb, I expect that most admins both have backups, and have such certs elsewhere, and recovery is not too hard. I do expect a lot of people to have trouble and to complain.
Doing it this way would be a eparture from longstanding practice that is so ingrained that we haven't ever talked about whether it is policy.