The browser updates will refresh the cert store. To see yours and the overrides file use
find ~/.mozilla -type f -name "cert*"
cert9.db is a sqlite database file and cert_override.txt is a text file with dns names and certificate fingerprints. There are probably scripts to drive this tool [1] for automating removal of certs assuming FF is not running but I have not looked for any. Here [2] is someone making it work n Windows.
I suppose one could set the file immutable once it in the desired state but I have no idea how well Firefox will deal with not being able to update it. I would hope it just throws some stderr noise. The risk of course is that new CA's would not get added unless your script deals with comparing the updated cert9.db and your custom file and alerts you when new CA's show up. It's probably best to make use of the overrides file rather than removing certs from their cert9.db file.
[Edit] I totally missed that a comment further down in the linked article actually explains how to use the certutil tool to manage overrides by Rowena
I suppose one could set the file immutable once it in the desired state but I have no idea how well Firefox will deal with not being able to update it. I would hope it just throws some stderr noise. The risk of course is that new CA's would not get added unless your script deals with comparing the updated cert9.db and your custom file and alerts you when new CA's show up. It's probably best to make use of the overrides file rather than removing certs from their cert9.db file.
[Edit] I totally missed that a comment further down in the linked article actually explains how to use the certutil tool to manage overrides by Rowena
[1] - https://firefox-source-docs.mozilla.org/security/nss/legacy/...
[2] - https://stackoverflow.com/questions/58550397/can-t-use-mozil...