I would like to raise that per RFC 5280 secton 6.1, TLS verification could be established with a trust anchor which is an intermediate CA and not the root CA in the chain. However, working with psql CLI, sslmode=verify-ca or verify-full, I need to specify sslrootcert to a file containing the root CA.
I think the behavior is derived from libpq and openssl. However, I would like to raise it for a debate on the reasoning and would appreciate the PG team position on it.
NOTE: I am aware that OS-trust works with sslrootcert=system in PG 16+.