They may have non-HTTPS sniffing reasons for installing an internal CA, and it is highly recommended in an AD-connected environment. So while they may start hijacking traffic, you might be jumping the gun.
I will say that to avoid hijacking you need a clean DNS server. If you have local admin you could try and see if you can just change to 18.104.22.168/22.214.171.124, but if they're competent they're likely blocking DNS going through the firewall for exactly that reason.
I'd recommend you just bring in a personal laptop, buy one of those tiny battery operated mobile WiFi hotspots "MiFi" (cellular to WiFi bridge), then just access the internet for personal usage entirely off of their equipment and network, it will cost less than $20/month with a pre-existing cellular plan.
e.g. T-mobile Z915 + $10/month