Let’s say you open Youtube (or any other site) in your browser. Normally, that connection is encrypted end2end, so only Youtube and you see what data is being sent. An outside observer (your employer, your ISP, etc) might deduce from the network traffic that you’re accessing YT, and how long/how much data, but nothing else.

This encryption is based on SSL/TLS, in a small nutshell, that works by having a chain of cryptographically signed certificates, that proof to you, that YT is really YT, and not someone else (your employer, for example). Attacks like this are called Man in the Middle (MITM). The certificate chain however, needs an anchor. Somewhere to start. These are called Root CA (certifying authorities). Typically these are dedicated companies or large ISPs. Their certificates (the public parts) are stored on your device from the factory (more or less). And thus your device can verify the entire chain of trust from the certificate YT send you down to the RootCA…

Now, if someone would install a new RootCA certificate on your device, than that entity could become a Man in the Middle, it acts as a relay for all of the traffic going out of your device, can read everything send over the wire - and your device wouldn’t even know it. If that entity would be part of a US company, they would be legally forced to hand over all their data to NSA, FBI, etc. even if the actual data transfer woud happen completely within Europe.

This is exactly what Twingate seems to do. Crowdstrike and ZScaler are similar products.

The underlying problem here is that IT security in large organizations doesn’t mean “How can we be secure?”, but “How can we make a legal argument that we did nothing wrong?”. So security clusterfucks like this can be implementend, since the CTO can claim not to have been negligent.

PS: The description above is obviously very simplified, the Wiki articles for SSL/TLS are much better.