What's the practical difference between system store and user store? Do some apps or system operations only trust the system store and not the user store?
The user store is a certificate store that the user can add certificates to. It used to be the case that by default apps would get certificates from both stores if they asked the system for certificate authorities to validate against, with the option to opt out of specific stores, but this changed years ago. Now apps need to opt into loading user configured certificate authorities.
The system store, located in /system/etc/cacerts, is baked into the system image and can't be altered without root. The user store, located under /data, can be updated from the phone's settings.
The system store is now the default store all apps use to validate certificates, unless they pack their own certificate authorities. Many apps doing certificate pinning will do that as well, which prevents them from being MitM'd without injecting code into them.
I don't know the difference between the user and system store, but I do know that apps can choose not to trust certs installed by the user and instead only trust their own that they bring with them. Was frustrated to find this when I was trying to MITM an app to see what it was up to on the wire.
Apps used to trust the user store by default, but that changed back in Android 7. Now they only trust the system store by default and need to opt into also loading the user store. So, it's not that they look at the stores and pick one, it's that the user store has effectively been disabled for most apps (browsers usually work, thankfully). Even Firefox for Android will only use the user store if you go through a five step process to open the hidden settings.
Some apps do certificate pinning, which basically only validates certificates against a specific certificate authority and completely defeats any system certificate store.
You can MitM these apps by injecting code to bypass their restrictions. The eBPF methid linked above works, or you can use Frida in root or rootless mode to inject a variety of existing scripts to defeat certificate validation. This is a lot more involved than installing a certificate authority, but it'll work if you want to reverse an app.
Not rhetorical questions.