States are themselves extraordinarily large IT enterprises, they generally want control of traffic and its transparency or protection, and they are large enough to get arrangements for that, though usually not this particular arrangement.
Large enterprises in the US generally have the same capability, but not loaded into operating systems by default (that is: Walmart's ability to do this on its own network in no way impacts you, who have never worked on that network).
If you're a large enterprise, then it's trivial to add yourself your own custom CA and save the cost/hassle of needing to deal with outside companies. The tradeoff being you need to manage it yourself vs basically paying this third party company to survive?
That's true, but in the bad-old-days of the antidiluvian WebPKI it was somewhat routine to sell big companies CA=YES certs simply to allow them to do this universally without pushing out updates to all their endpoints. It was a terrible, bad practice, and so far as I know it's completely dead now --- except for Microsoft, I guess.
Large enterprises in the US generally have the same capability, but not loaded into operating systems by default (that is: Walmart's ability to do this on its own network in no way impacts you, who have never worked on that network).