Just going to jump in here and reiterate what benegetto said: blocking user installed certs is worse overall for security. It’s trivially easy to allow, it could be enabled by an off-by-default option with a warning, and by disallowing it you are forcing those of us who use self hosted or enterprise services to compromise our security by either broadcasting aspects of our internal networks to the world to get a publicly readable LetsEncrypt cert or to disable encryption entirely. And the only threat this really defends against is someone who already has access to the device and therefore all of the data in Obsidian anyway.
It’s all very well and good to demonise self signed certificates, but all security practices exist in a context and need to be understood in terms of their threat model - a browser not trusting self signed certs by default is safe because that would let websites execute man in the middle attacks, an app refusing to trust even verified user certificates is unsafe because it forces insecure workarounds and does nothing to actually prevent MITM attacks (since the channel is already as secure as that user’s security practices)