This certainly was an issue but it's solved by ECH/DoH. As long as they aren't blocked on your network anyway.
> Also, State (sponsored) Actors are certificate authorities.
To generate a fake certificate as a CA you have to either put it in the Certificate Transparency log, in which case everyone will notice, or don't, in which case browsers will notice (they know what top sites' certificates are supposed to look like) and your CA will get shut down.
Someone should really test it, real red team black hat style and then fully publish the results. Try to mitm https with real unlogged certs and see what happens. Preregister the whole fully detailed procedure on blockchain. And report to public results fully, with proofs of being caught.