What’s the best way to think about and mitigate CA vulnerabilities?
Use onions to completely not have to deal with them or Harica + onion if you absolutely must use HTTPS + onion. Let’s Encrypt is your go to for clearnet https.
Not much can be done except what’s already been said, documented.
Also it’s a general security question. https://www.whonix.org/wiki/Free_Support_Principle applies.