Does anyone know where Flatpak Chrome (system-wide(!) installation) store certificates imported via its built-in certificate manager??? (Hint: it’s not in ~/.var/app/com.google.Chrome/data/.pki/nssdb/, nor is it anywhere in the ~/.var/app/com.google.Chrome/ folder, neither anywhere in the /var/ folder.)
Lemme guess, no one knows, eh? 
We are not Chrome developers or even necessarily users, so it’s not surprising that people can’t provide this information.
Chrome is a proprietary application so I’d assume it uses the default location - taking a look at Brave seems to confirm this assumption: ~/.pki/nssdb/ (inside the sandbox)
Thanks for the reply. Interestingly, if you attempt to ask Chrome devs where Flatpak Chrome stores its certificates, they will tersely reply that you should to ask the Flatpak people, and then unceremoniously close the ticket.
At any rate, as per the OP, no cert9.db file can be found anywhere in ~/.var/ or /var/ trees. AI says that the Flatpak Chrome sandbox is “a complex runtime isolation enforced by the Linux kernel, not just a simple directory”; despite that, however, Flatpak Chrome certificates do persist(!!). My guess is that the same mechanism applies to Flatpak FireFox, or any other browser.