Am I wrong to think this opens a gaping security hole?
Adding a new root CA means anyone who gets their hands on the keys (which are openly available to the user of mkcert) gets to completely obliterate your ‘trust’ store and MITM any of your secure connections.
AFAIK attackers with local access already have lots of ways to exploit your system.
However, for added security you could run mkcert on another computer that is not connected to a network. Then you just copy the root cert and the leaf cert to your dev machine, but leave the root cert’s private key offline.
That is a risk, but not an uncommon one. There are a dozen other workflows that rely on users installing CAs, maybe not quite w/o root, but all the same, installed, so this isn't a new idea.
Also, it seems to me that virtually any way to get those keys involve hostile code running on your machine, meaning you're already toast.
I do also wish it didn't install certs as non-root, but as pointed out in another comment, there is a workaround for that.
Adding a new root CA means anyone who gets their hands on the keys (which are openly available to the user of mkcert) gets to completely obliterate your ‘trust’ store and MITM any of your secure connections.