Not THE issuer. AN issuer. All of your devices have a number of trusted top-level issuers (Root certification authorities). Windows has about 50 preloaded, and this list largely matches what you’ll find on Android, Mac, etc. Everyone’s been mentioning Let’s Encrypt, which descends from ISRG Root X1. But you can (relatively) easily get certs from Thawte, Verisign, and many others.

And if none of those are to your liking, you can install your own. Seriously, there’s nothing technical stopping you. Most corporate devices (Windows, Mac, Linux; Android or iOS; mobile, client, server) have the company’s root certs installed. The challenge for public trust is exactly that- Trust. You must operate in a way that is generally trustworthy.

Let’s Encrypt was actually pretty revolutionary. You aren’t entirely off base with your concern. Prior to that, getting a cert that was trusted by most devices was non-trivial, and came with an expense. But that wasn’t because of the desire for encryption. Rather, it was about verifying that you were who you said you were. These also served as proof of identity.