In fact you don't have to trust any of them, since browser root stores enforce certificate transparency.

But also the issues of segmentation are pretty much a total shift of the goalposts from what we were discussing, which is what actually happens when malicious activity occurs. In DNS, your only option is to stop trusting that slice of the tree and for every site operator to lift and shift to another TLD, inclusive of teaching all their users to use the new site. In WebPKI, the CA gets delisted for new certificate issuance and site operators get new certificates before the current ones expire. One of those is insane, and the other has successfully happened several times in response to bad/rogue CAs.