When testing an untrusted root, client validation libraries often treat incomplete chains (chains which do not chain to a trust anchor or self-signed certificate) distinct from those that chain to a self-signed, but not trusted, root.
A better reflection of the security risk would be to have the server send the root certificate in-band, as part of the TLS handshake. Clients which only look to see that the chain is valid/parsable and terminates in a self-signed certificate will accept it, while clients that rely on trust status information should continue to reject it.
When testing an untrusted root, client validation libraries often treat incomplete chains (chains which do not chain to a trust anchor or self-signed certificate) distinct from those that chain to a self-signed, but not trusted, root.
A better reflection of the security risk would be to have the server send the root certificate in-band, as part of the TLS handshake. Clients which only look to see that the chain is valid/parsable and terminates in a self-signed certificate will accept it, while clients that rely on trust status information should continue to reject it.