A root-CA can still swap out your certificates, but they do not have access to the private keys. What they can do is issue valid certs for domains not under their control (or the control of their users). With a bit of DNS poisioning you can now serve traffic through a Proxy and no one would notice (think: someone obtains a valid cert for google.com, sets the local DNS to resolve google.com to the IP of a server hosting a proxy and et voila, you can read all their encrypted traffic to google.com).
A root-CA can still swap out your certificates, but they do not have access to the private keys. What they can do is issue valid certs for domains not under their control (or the control of their users). With a bit of DNS poisioning you can now serve traffic through a Proxy and no one would notice (think: someone obtains a valid cert for google.com, sets the local DNS to resolve google.com to the IP of a server hosting a proxy and et voila, you can read all their encrypted traffic to google.com).