The government CA could just issue a new certificate for let’s say Google, force your ISP to return a wrong IP when you ask your ISPs dns server what the address of Google is and then return a fake Google page instead or forward traffic to Google on your behalf and read all data. And since your browser trusts the new fake Google certificate from the government you won’t get any https error or warning.

The CA (Certification Authority) is what validates the encryption certificates that TLS uses in HTTPS. In this case it can certify a cypher that can be used in a site’s certificates and be known to a government agency (the 3rd party) and used to decrypt the HTTPS stream. This basically an Man-In-The-Middle attack.

When a website uses HTTPS they have a certificate that proves who they are. Your device uses that certificate to encrypt your data so that only that service can decrypt it. The issue is that it’s just a file and anyone can make one. So to determine whether I trust your certificate I need it to be cryptographically signed by someone I already trust. These are the certificate authorities.

If I was a certificate authority that your device trusts then I could create a certificate for any domain and your device would believe me. Meaning I could sit between you and any web service and have you encrypt things with my certificate in a way that lets me decrypt everything before forwarding it to the service and you would never know.