The flatpak firefox on Bazzite doesn’t seem to honor system CA’s in /etc/pki/ca-trust/source/anchors
CA certs added to this folder does show up in trust list, so pk11-kit is picking them up
NSS should use pk11-kit by default and flatpak firefox should use NSS
The security device information shows pk11-kit as a registered device, but shows a path of null? I not sure if that is a problem.
A similar symptom to this was fixed in fedora 32, but I am not smart enough on this to know if the problem is the same.
This might be a problem that should be reported on the firefox website, but I don’t know if this is happening anywhere other than bazzite; so I figured I would start here.