I mentioned the .cn government (and their root CA(s)) because the article mentioned the .cn government, specifically, and the parent comment mentioned "any government that controls a CA".
Obviously, any government with a) control over a root CA and b) control over their entire country's Internet access could carry this out. The article we're commenting, however, called out .cn by name.
Maybe for targeted attacks against individuals.
2. If they use chrome, certificate transparency will log these
Unfortunately chinese people don't really use Chrome.