The last time I checked manually added CAs were excempted in Firefox (organisations may need that for their internal chains), but no idea about the current status and other clients.
Manually added CAs (for organizations), and manually added self-signed certificates (for internal appliances and IoT things; including Azure IoT things according to Microsoft) are so common that it is extremely unlikely any major browser vendor will blacklist or disable them.
Even in the case of an exploit adding them without user intervention, the actual proper use cases are so useful to end users and organizations, that the only really acceptable solution will be to make it impossible to "silently add" certificates; including warning/prompting the user if new additional certificates are detected at profile load time.