I was also confused about that. I don't use an Android phone currently, but I remember you could add your own CA certificates to an Android phone -without being root, just using some option under settings- and at least applications like the web browser would trust them. And I'm not talking about long ago. So I couldn't understand if the need of rooting your device to install custom certificates was for something different.
On Android 7, Google changed the defaults for certificates. Previously, apps trusted system certificates and user certificates unless they opted out. On Android 7, apps have to opt into trusting then user certificate store.
Browsers opt in, or in the case of Firefox, can be configured through hidden settings to opt in. Many other apps don't, though.
If you're trying to intercept traffic or use apps that should opt in but don't, the system store could be altered with root access so that these apps still trusted the certificates you're trying to inject. However, most apps worth their salt implement certificate pinning, so that's hardly reliable anymore. It's Arnold workaround that works on some apps but not on most.
Furthermore, Google Chrome and derivatives require certificates to be logged publicly so malicious CAs can't mess with random domains. Your private CA isn't logged in the public record, so adding the certificate to the system store actually breaks HTTPS for many browsers. You can add the cert to both stores to make it work, but it's kind of a hack.
On iOS loading certificates is easier, but you'll still need to work around certificate pinning if you want to intercept HTTPS traffic.
Thanks for your explanation! What I remember is from an Android version more recent than 7, probably 10, but maybe the browser was Firefox so in that case there was no need to have your device rooted.
