If you're that much of a target, you'll find your devices hacked soon enough regardless.
I can't speak about your threat model, but "exfiltrating my private CA keys to phish my browser" isn't really something I worry about in practice.
For those still checking certificate validity, Firefox will warn you that the certificate used is not in the system database when you click the little lock in the address bar.
That said, I'd absolutely love a system where I could restrict my private CA to certain domains.
You can use name constraints on the CA, but they are a bit hit and miss when it comes to client support.
For a local CA with the CA only on one machine you're perhaps OK if you are careful, but once you share the server with a couple of collegues you are potentially into a world of hurt.
On OSX you can choose "Always Trust" or "Never Trust" for various purposes (code signing, SSL, EAP, etc).
Why can't I have "Ask first time", or "Trust only for specific domains"
Same with built in ones. That "Hong Kong Post" root CA raises some eyebrows with me, I'd love to set that to "Ask first time" on it.
I can't speak about your threat model, but "exfiltrating my private CA keys to phish my browser" isn't really something I worry about in practice.
For those still checking certificate validity, Firefox will warn you that the certificate used is not in the system database when you click the little lock in the address bar.
That said, I'd absolutely love a system where I could restrict my private CA to certain domains.