It's the same with the RSA key exchange. It's inherent in the fact that the TLS negotiation exists to make both sides agree on a common master secret (and some public cryptographic parameters like which cipher to use), from which all the keys used to encrypt and authenticate either direction of the stream are derived. Once the master secret is known, all keys are known and the rest of the connection can be decrypted and/or forged at will. (The "triple handshake" attack exploits this, by making two connections share the same master secret.)
The certificate is used to sign (parts of) the values used to create the master secret. It doesn't sign anything after that.
The certificate is used to sign (parts of) the values used to create the master secret. It doesn't sign anything after that.