There is a pref, security.enterprise_roots.enabled, that when true, causes Firefox to trust CA certificates in the OS's cert store that aren't found in Firefox's own cert store.

There is behavior that automatically sets this pref to true when a TLS error occurs. The assumption is that the browser accesses the internet through a corporate proxy, or through some virus protection software, that feels the need to MitM the user's TLS traffic. So Firefox lets it.

The pref security.certerrors.mitm.auto_enable_enterprise_roots controls this behavior.

I suggest that both of these prefs should be set to false.