They’re defined here: https://github.com/NixOS/nixpkgs/blob/733682c32929293341f113f297b64ea6319e9089/nixos/modules/security/ca.nix, the default ones come from cacert, which in turn is a packaged version of mozilla’s, see here: curl - Extract CA Certs from Mozilla.
You can blacklist those you don’t trust with security.pki.caCertificateBlacklist.
We have all those CAs because they’re the basic foundation of public key encryption with central authorities. Yes, the system is broken.