Is there a commonly used language other than Java that doesn’t just defer to the OS trusted CAs by default?

The behaviour of curl depends on how your version was built.

Python? The widely used 'requests' relies on 'certifi' and skips the OS store - but 'pip' on the other hand does use the OS store.

A tool that might use java, like a database or IDE, means it might have its own store.

Node? Make sure you set NODE_USE_SYSTEM_CA=1

Firefox and Chrome AFAIK both have their own stores.

Building a Docker container? That's intentionally isolated from the host, of course your container won't inherit the OS trusted CAs. Running a VM locally? Same.

Installed something using snap? The container-like isolation means it won't pick up the OS trusted CAs.

And of course you need the certs set up right on your cloud servers, your CI servers, the dozen different smartphones the mobile team uses for testing.

Python for example, although nowadays you can simply install pip_system_certs to change that behaviour.

A lot of non-language tools bring their own certificate bundle as well, like uv, git, curl and Firefox. (I think they might all be the same Mozilla bundle even).

However, it seems like the situation here has improved slightly: git can read Windows certificates now once a flag has been set, Firefox has a flag for Windows and macOS, and it supports p11-kit. curl can be built with Windows/macOS support and respects OpenSSL environment variables. uv can be configured to use system-certs.

And obviously any VM or container has to be set up separately. That often includes stuff like pipelines in forges. As mentioned in the sibling comment, at least here it's definitely by design.

Node and (probably by extension) Electron infuriate me with their custom requirements.

Several Rust libraries also tend to default to a predefined set of certificates (which makes sense for libraries supposed to run on bare metal as there are no system certificates there, but that's not really a problem on most Linux installs). I make it a point to always use the native OS roots in the code I write, but unfortunately that's not universal.

Having to bind-mount certificates inside of docker containers is also always an annoyance I forget about until I see the first TLS errors in the logs, but that's by design and probably a good thing.