Does anyone know where Flatpak Chrome (system-wide(!) installation) store certificates imported via its built-in certificate manager??? (Hint: it’s not in ~/.var/app/com.google.Chrome/data/.pki/nssdb/, nor is it anywhere in the ~/.var/app/com.google.Chrome/ folder, neither anywhere in the /var/ folder.)
Lemme guess, no one knows, eh? 
We are not Chrome developers or even necessarily users, so it’s not surprising that people can’t provide this information.
Chrome is a proprietary application so I’d assume it uses the default location - taking a look at Brave seems to confirm this assumption: ~/.pki/nssdb/ (inside the sandbox)
Thanks for the reply. Interestingly, if you attempt to ask Chrome devs where Flatpak Chrome stores its certificates, they will tersely reply that you should to ask the Flatpak people, and then unceremoniously close the ticket.
At any rate, as per the OP, no cert9.db file can be found anywhere in ~/.var/ or /var/ trees. AI says that the Flatpak Chrome sandbox is “a complex runtime isolation enforced by the Linux kernel, not just a simple directory”; despite that, however, Flatpak Chrome certificates do persist(!!). My guess is that the same mechanism applies to Flatpak FireFox, or any other browser.
The Chrome Flathub maintainers are volunteers, so you’ll have to be patient until someone has the time to answer your question.
There are other browsers directly maintained by their developers, e.g. Firefox or Brave. With these projects you should be able to get an answer although for both the location should already be known.
Firefox stores it inside the profile folder, Brave - which uses the same base as Chrome - seems to still store it inside ~/.pki/nssdb/. Both get persisted to ~/.var/app/….
Changes being persisted differs from what others have reported in the Chrome Flathub project. If you can’t locate the files, a guess would be that it is now handled differently. Maybe Chrome has changed its certificate manager? That’s something the developers should be able to answer - it would be independent from Flatpak.
You can also inspect the sandbox yourself:
flatpak info -M com.google.Chrome
flatpak run --command=bash com.google.Chrome