Just like we link libSystem when CGO_ENABLED=0, we can probably do the same with Security.framework for obtaining the root CAs, and drop the horrible no-cgo fallback path that shells out to security. The latter is slow and makes some dangerous approximations due to not having access to the actual trust policies.

Suggested by @zx2c4.