I think the idea the parent is trying to express is that if the Linux distro (and OS X in this situation) comes with the root certificate trusted by default via ca_root_nss/ca-bundle or whatever the packager decides to name it they can disable it before even connecting to the internet, and if the certificate is not trusted by default then they don't need to worry about it magically getting trusted in the future outside of the simple fact of updating the root certificate store blindly without inspecting it.
Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.
Microsoft's approach means that the user would have to go find the certificate on the internet and blacklist it explicitly, which allows a small window where the computer is vulnerable to some kind of attack involving a certificate signed by the unwanted authority.