>1. It has its own certificate system. That would be fine if it used that in addition to using the MacOS built in system, but it seems to use it exclusively.
fwiw Chrome does this too. It's effectively standard practice for browsers - OSes routinely have very out-of-date cert stores, and don't regularly remove revoked ones. Browsers ship it separately because it's such a major security concern for browsing.
Chrome on MacOS does use the Mac's built-in system. Going to the privacy settings (chrome://settings/privacy), and clicking "Manage certificates" just launches the MacOS "Keychain Access" application.
To get Chrome on MacOS to use my employer's self-signed root certificate, I just had to import it with "Keychain Access" and then both Chrome and Safari used it.
It may also have its own built-in certificate system, but for user-added certificates, it uses the built in MacOS system.
No - Chrome uses the OS certificate store on both Windows and MacOS and hence works with all internal apps of enterprises that generate client certificates for their users and manage the OS certificate using strict policies.
fwiw Chrome does this too. It's effectively standard practice for browsers - OSes routinely have very out-of-date cert stores, and don't regularly remove revoked ones. Browsers ship it separately because it's such a major security concern for browsing.