Even access to the private key doesn't permit a passive adversary to snoop on traffic that's using a ciphersuite that provides perfect forward secrecy, because the private key is only used to authenticate the session key negotiation protocol, which generates a session key that cannot be computed from the captured session traffic. Most SSL and TLS ciphersuites provide PFS nowadays.

An active adversary engaging in a man-in-the-middle attack on HTTPS can do it with the private key, as you suggest, but they can also do it with a completely separate private key that is signed by any CA the browser trusts. There are firewall vendors that openly do this to every single HTTPS connection through the firewall.

HPKP was a defense against this (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) but HPKP caused other, worse problems, and was deprecated in 02017 and later removed. CT logging is another, possibly weaker defense. (It only works for CAs that participate in CT, and it only detects attacks after the fact; it doesn't make them impossible.)