I think this decision should be inverted - user/admin installed CA's should be trusted by default (but not able to be preloaded, by say a malicious cellphone employee at a store), but the entire public CA list (aka, "people we expressly allow to MITM you") should be run in front of and require approval by the user.
But that's a problem everyone seems comfortable with ignoring...
a user would not be able to tell whether they can trust a public CA (they probably have nfi what it is).
A user installed CA is more likely done by an automated mean (such as a jail break, or malware) than the user themselves. This choice means they can at least stop some malware/crapware. Yes, the legitimate users with self installed CA got screwed over, but in google's eyes, those people are going to put up with it, because they've already invested in the android platform (and won't switch to iphone).
But that's a problem everyone seems comfortable with ignoring...