My harebrained idea for this:

- let companies register a wild card domain in the .local (or a newlocal) namespace: .acme.local

- designate the acme company with the ability to issue certs that never expire for any name in ".acme.local" but the browser will refuse to use certs signed with that key for anything outside "*.acme.local"

pros:

- the acme company can now make equipment that the users browser can connect to over an encrypted channel with zero config on the user's part

- the equipment can live off the internet indefinitely

- if the acme company is breached, and their signing key is stolen, the attackers can only use that key to impersonate acme company, it doesn't allow them to impersonate any other domains

cons:

- the browser manufacturers don't care about this use case so its never gonna happen

- the cert on the device never expires... and can never be replaced automatically somehow. I think the only workaround is acme could enable users to load their own certs if they are so inclined, but that shouldn't be required.

You should only have to store the self-signed cert exception once, at least on a given device. Now, if you're being targeted by a state-sponsored actor they might somehow be able to get you onto a honeypot network within the 2-minute window between plugging in your router and making your first connection to its web interface, but for everybody else a self-signed cert that you accept once during initial setup should be plenty good enough.