Changes

When you use your product's certificate manager to edit the trust flags on a certificate, the cert manager first looks for the cert in your database, and if it's there, then that copy gets edited. If it's not there, then cert manager looks for a copy in the trusted cert list, and if found, copies it and its flags into your data base, and then edits it there. (After all, it cannot edit the copy in Mozilla's list, because that copy is read-only.) After that, that cert will remain in your database, and each time that the product goes looking for it, it will find it in your database, not in the trusted list.

If you edit the trust on a cert in the root list, taking away (say) one of the 3 trust flags, but leaving the other two, then that cert and the two trust bits will be in your cert DB. After that, if Mozilla removes that cert completely from Mozilla's trust list, it will remain in your cert DB with those two trust flags. Mozilla's changes to the default trust list never affect your databases. Your databases contain what YOU put there. They're your changes, your responsibility.

In conclusion, the changes Mozilla makes to Mozilla's read-only list of trusted root certs affect only those certs that do not also appear in your cert DB. When you cause copies of any of those certs to appear in your cert DB, then you have taken control of the trust for those copies, and changes made by Mozilla thereafter to those certs will not affect you.