Good analysis. I agree that it’s concerning that Yandex’s browser can update certs on the fly now.
To be fair it is barely more concerning than just trusting the certificate to begin with. It seems like they are giving themselves 2 points of correction. If they lose the root cert key they can issue a new root cert. If they lose the config signing key they can roll out a new browser while they continue to use the same root cert. Of course this is usually accomplished by sub certs that the CA uses so it is interesting that they took a more custom approach.