But you're really just trading one trusted party for another, right? Now you don't need to trust your ISP (as much), but you do need to trust the certificate authorities.
Many ISPs have repeatedly demonstrated they are untrustworthy. Unfortunately in the US they tend to have regional monopolies. I don't have a realistic option outside of Comcast. So I have no choice but to use a shitty ISP and all of my traffic has to pass through them.
I do have a choice in trusting certificates. I can revoke trust of certificates, chains, and even root certificates. I can also choose to trust self signed certificates. But I don't have to trust my shitty ISP not to meddle in my traffic. I also don't have to trust the networks between my shitty ISP and a server. I don't need to trust those networks because I can verify a server's traffic against a chain of signing keys.
With unencrypted traffic every network between nodes is going to peak at the content and you have no way of knowing if they modified it in transit*. TLS provides encryption and verification. I don't trust my ISP at all. I don't have unlimited trust of CAs but they have less ability to compromise all of my traffic like my ISP.
