The biggest problem with 1) is that you lose the ability for your browser to perform checks on the certificate. If the certificate fails, the only option is to deny the connection. (Or fake it and return an error page but that can have unintended consequences.)
And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.
A successful mitm with an injected trusted cert should appear 100% valid to the browser. That's the point. According to your device setup the connection has not been tampered because you as the device owner allowed a new root cert to be trusted.
The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.
Those checks are then performed on the MITM device. Instead of an error page the device could return the same sort of page that your browser would otherwise display for you. The connection has been MITM'd after all.
And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.