(1) is not technically possible unless Google issues new certificates for each site they want to inspect, and they would immediately be untrusted for doing so. (Admittedly, a CA did this once and is still alive, but they came very close to getting axed.)
>and they would immediately be untrusted for doing so
Untrusted by whom? Let me remind you that Google also owns the most popular browser used to access the web. There are already plenty of websites that don't work in any other browser. So they won't even notice if non-Google browsers suddenly don't trust the certificate anymore.
I agree with your point, though you might be exaggerating their current market share a bit. But Chrome does not make certificate trust decisions on most platforms, so it would certainly be a wild scenario for them to do something like this.
I think your (1) makes it sound like more work than it really is
What you'd do is issue a subCA, an intermediate certificate that says whoever has this key is allowed to issue more certificates, then you bake that subCA and the key into a MITM appliance. It mints the leaf certificates, in real time, when a connection happens. At the scale of a medium-sized corporation you can buy this off the shelf from a dozen or more companies, but obviously the off-the-shelf product produces untrustworthy certs.
Usually what a business does is they set Windows Group Policy to say oh, actually we trust these bogus certs. They're supposed to mint a new key for this purpose, but I've seen big companies screw that up and trust the demo keys supplied with the product. This is fine because they're your machines, you set Group Policy. Don't want to trust dubious third rate "MITM appliances" from so-called security companies? Then don't add one in Group Policy.
But if you gave these MITM appliances a "real" publicly trusted subCA they would work, and it would be seamless as far as ordinary Web users are concerned (it's not entirely undetectable, but no ordinary users would notice). It would definitely work for a fair-size company, or a small country. And maybe if you had the hardware and the money you could do it to, say, China, or America.
We know TrustWave issued such a subCA to Walgreens, which caused a big fuss in 2012, and Mozilla told CAs that even though their policies had never specifically forbidden this it was a terrible idea, and they needed to confess and stop doing it. In 2013 the French government was caught doing this too, and their CA root was locked to ccTLDs controlled by France (France owns a bunch of quasi-independent little island nations with TLDs) in Firefox. In 2015 CNNIC did this "by mistake" selling a subCA to a company that, it says, didn't even want a subCA but just somebody screwed up. CNNIC was distrusted.
