Really we should learn to expect that "I don't support that" is the default unless somebody's _actual_ business is supporting you doing whatever it is. Which it rarely is these days. This obviously matters most for security, but it's true everywhere.

Another security example is that a tremendous amount of stuff ultimately decides whether to trust a certificate based on Mozilla's root trust programme.

That seems fine right? Well, kinda. It's definitely better than "I found this file named CA_TRUST.Z on an old Solaris machine in 1997 and so that'll have to do" as a policy.

But it's different from two things you or end users might expect you're achieving.

1. This isn't "You know, the same Certificate Authorities trusted everywhere". There is no such thing. The big root trust programmes have a fair amount of commonality, which is fine if you're out to obtain a certificate for a web site (pick anyone in the common set) but they aren't even close to mirrors. Mozilla's list is significantly different from Apple's which is likewise different from Microsoft's.

2. This also isn't "Like in Firefox". This problem is more subtle, after all the Firefox build process consumes the same file, ultimately, as your code does. But, Firefox has a long list of extra rules beyond whether or not something is in Mozilla's published trust store and your application would need lots of extra work to implement all those rules and track updates to them. Did you do that work? No you did not.

This probably won't bite you, and likewise relying on bits of BoringSSL that Google doesn't care about probably won't cause massive security problems in your code. But only probably.