On its own the root does not magically intercept the traffic, so Kazakh ISPs will need to do a bunch of (potentially quite expensive) work to actually MITM traffic for the Kazakh government, but with the root once that work is done it doesn't get flagged as a problem.
Because this exact same strategy (root that is not trustworthy is installed) is used in corporate setups to do anti-exfiltration, porn filtering and dozens of other things of dubious value, browsers are designed to let you, or the computer's administrator, choose to trust root CAs and indeed lots of counter-measures that protect ordinary users from bad guys are deliberately _disabled_ in the scenario where you've told it to trust some third party. You know best.
If you imagine a hypothetical system which just doesn't trust this root, say somebody has a Raspberry Pi they smuggled across the border, or more prosaically, they just said "No" and refused to install the root certificate -- such a system just will treat the MITM as an error, your secure web browsing won't work because it can't make a secure connection.
Or contrariwise, suppose you install the root in an otherwise ordinary PC in New York connected to AT&T, it will have no effect because the Kazakh government obviously isn't in New York MITMing your connections to other stuff.