This is a tracking issue for our side of sigstore/root-signing#539 and sigstore/root-signing#584: once the TUF repo contains trusted_root.json (or whatever it ends up being called), we should use that instead of retrieving each target in the trustroot individually.