What’s the best way to think about and mitigate CA vulnerabilities?
Use onions to completely not have to deal with them or Harica + onion if you absolutely must use HTTPS + onion. Let’s Encrypt is your go to for clearnet https.
Not much can be done except what’s already been said, documented.
Also it’s a general security question. Free Support for Whonix ™ applies.