I found it explaining Linux: Where is Golang picking up root CAs from?
I want to understand how it's done on MacOS. Thanks.
On macOS (and also Windows), Go does not load root certificates from the filesystem. Instead, Certificate.Verify calls c.systemVerify which uses APIs provided by the OS to validate certificates.