@WhiteNoise many android apps trust user added CAs. To give a few examples: bitwarden, home-assistant, nextcloud already have it enable. If someone have physical access to device to install CA they have access to all the data alraedy 
1 Like