One issue is that browsers and other clients have a difficult time handling certificate revocation. Let’s Encrypt is stopping support for OCSP, and that had a lot of privacy implications where a CA could tell who is going to what site, based on the requests to check certificate revocation. Let’s Encrypt is moving to CRLs, but the size of the CRL is very large the more certificates you have. For Let’s Encrypt with only a 90 day validity period, their CRL is smaller than a CA which has certificates as much as 398 days old.

The size of the CRL is something not only CAs have to manage, on the client side, you may have to check a 10MB file to see if the certificate for the site you’re connecting to is still trusted by the CA. With many CAs, these CRLs will take up a lot of space on disk, and need to be updated often. Mozilla published a system called CRLite which uses Cascading Bloom Filters to keep track of revoked certificates in the browser, which will save a lot of space. Having a constrained set of revoked certificates is useful to ensure the bloomfilter won’t be too large for the browser to store and manage.

You can even get every achievement in a game, and return it for a full refund, granted you can beat the game in under two hours. Someone did it with resident evil 3 remake: https://www.youtube.com/watch?v=Bp8a5EjAcGs

If your school or employer has an MDM solution on their laptop that they issue to you, you have 0% of privacy. You could use DNS over HTTPS which will prevent your DNS queries from being picked up, but the MDM could issue their own CA and even intercept https traffic. They can also record your keystrokes and screen. It would be wise to think of the machine as compromised, just not by a threat actor.

For maximum privacy, only use the devices for the minimal work necessary. Don’t log into anything for personal use, and use a separate device you’ve purchased yourself.