I've come across the latter, but it's not a difficult thing to get around if you're willing to play with the binary. You might be able to recognize the stored cert and sub it out with your own, or you can just ensure the branch that validates it never runs.

Presumably Apple could demand the ability to change the certificate an app validated against for testing purposes, if Apple cared enough to do that.

Nope. Turns out Siri was (at least originally, not sure if it still is) vulnerable to the same attack.