Yes! Context specific CA trust would be great, but AFAIK isn't possible yet. Even name constraints, which are domain name limitations a CA or intermediate cert place on itself, are slowly being supported by relevant software [1].
As a contractor, I'll create a per-client VM for each contract and install any client network CAs only within that VM.
As a contractor, I'll create a per-client VM for each contract and install any client network CAs only within that VM.
[1] https://alexsci.com/blog/name-non-constraint/