These are roots that the NSS trust store includes, but doesn't trust as
a CA by default -- that is, they still trust it for some uses. Such
certs are not an unknown quantity, and it may be the case that it was
only recently moved to MUST_VERIFY_TRUST.
One instance of this from April[0] is an older DigiCert Global Root that
they retired under a new policy that they stop trusting those with key
material that is 15+ years old. This cert in particular still had
~32 million validations on average *daily* just before retirement
according to the cited bug, so you can imagine that some users may
have reason to retain trust for a period of time.
Instead of marking them completely untrusted (which is rather permanent
and doesn't allow overrides by placing in trusted in /usr/local), move
them a new category that isn't visible to certctl: known. The main
reason to retain them, IMO, is to avoid the sysadmin having to fetch a
copy elsewhere and verify that they got the right one- that introduces
risk that isn't necessary when we can still provide a copy that is
trusted for other purposes.
The other note I'd mention is that this probably makes more sense
because the current version of certdata.txt trusts roots mostly for
either SERVER_AUTH or EMAIL_PROTECTION, and never CODE_SIGNING. It may
be the case that a root trusted purely for CODE_SIGNING isn't of
interest and shouldn't be recorded in known, while one for
EMAIL_PROTECTION may be relevant to a broader set of FreeBSD users.