While it seems like certificate authority has the primary control here, the real control lies in browsers and operative systems in which certificate authorities are trusted. Users also have, at least for the moment, control to add or remove certificate authorities, even if that control is slightly less clear for devices like smart phones.

Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.