FWIW, here's what I just did on my (Arch) Linux machine:
$ for f in /etc/ssl/certs/*.pem; do sudo ln -sfn "$f" /etc/ca-certificates/trust-source/blacklist/; done
$ sudo update-ca-trust
This will block all currently installed CAs (as well as double-block some, but that doesn't really matter). You then need to add them back in.Restart your browser, and go to websites you access frequently (change them to https:// if necessary). Click the (broken) padlock and read off what CA they used; remove the corresponding .pem file from the blacklist directory. Some might be signed by intermediate certs and thus hard to find, but SSL Hopper has a great chain inspection tool at https://www.sslshopper.com/ssl-checker.html you can use to identify the topmost CA cert you need to whitelist.
After you're done, run sudo update-ca-trust
again, and restart your browser. All normal sites should work, and you've gotten rid of ~160 root certs.
If it's of interest to anyone, here are the ones I whitelisted to get all sites I bothered to try up an running:
$ sudo rm DigiCert_* GeoTrust_* Go_Daddy_* GlobalSign_* VeriSign_* StartCom_Certification_Authority* COMODO_* AddTrust_* Thawte_* thawte_Primary_Root_CA* Baltimore_CyberTrust_Root.pem UTN_USERFirst_Hardware_Root_CA.pem Visa_eCommerce_Root.pem
$ ls /etc/ssl/certs/*.pem | wc -l
206
$ ls /etc/ca-certificates/trust-source/blacklist/
163
EDIT: Note that this is not a perfect solution; the CAs you've whitelisted could still go bad, and you'll need to blacklist any new CA certs that are added with subsequent ca-certificates updates. But it's a start.