By all means correct me if I’m wrong, but looking at the PR this article links to. It looks like all that’s happening is that Google’s trusted certs are being added to the android apex API and are now immutable. Any non Google certs are still going to be saved to ANDROID_ROOT/etc/security/cacerts the same as they currently are.