Yes? This isn't that complicated. You break it, and when competitive browser X refuses to do so, you sell the idea that browser X is compromised for all users everywhere (not just in Kazakhstan)

Stop thinking about the country with literally less than 1% of world internet users and start thinking of the reputational damage a less than charitable presentation of your collaboration with a totalitarian state against your users would do to the other 99%+ of your market.

Apple is openly collaborating with Chinese regime, including allowing the government to snoop on all Chinese traffic, yet they still have a high reputation for privacy. This just doesn't work, people don't give a shit about other countries.

That's fair, but the country doing this will just fork an open-source browser and make it their official browser.

Sure. "don't use Kazakhfox, it's malware, we've submitted definitions to the AV databases" isn't a hard sell for your 99%+ audience.

Malware forks of open source projects (and closed-source software!) are not a new problem.

Except they are a new problem when the use of them is mandated by a nation-state.

Which is bad news for the ~15m internet users in Kazakhstan. For the ~4000m internet users not in Kazakhstan & generally immune to their rubber hose attack, protecting them from being one BGP fuckup away from being MITMed by a hostile foreign power is much more important.

Totally separate problem that I agree needs to be fixed.

In reality, being one BGP trick away from a mere dedicated individual or corporate owning certs for your domain is an actual risk today.