CertificateManagerModel.ListsCertsFromPlatform was flaky - see
https://logs.chromium.org/logs/chromium/buildbucket/cr-buildbucket.appspot.com/8937415838820796480/+/steps/unit_tests__with_patch_/0/stdout

I've temporarily disabled it in 
https://chromium-review.googlesource.com/c/chromium/src/+/1186581
It seems that the issue is that after importing the test cert into the test slot:
PK11_ImportCert(test_nssdb_.slot(), cert, CK_INVALID_HANDLE, "cert",                            PR_FALSE /* includeTrust (unused) */));

We list the certificates and find the corresponding CertInfo object:
certificate_manager_model_->FilterAndBuildOrgGroupingMap(net::CertType::CA_CERT, &org_grouping_map);
CertificateManagerModel::CertInfo* cert_info = GetCertInfoFromOrgGroupingMap(org_grouping_map, cert);

and the following two expectations fail:
EXPECT_TRUE(cert_info->untrusted());
EXPECT_FALSE(cert_info->web_trust_anchor());

I can only imagine that the cert having trust in NSS somehow leaks from another test run.

The tests are run with NSS_DISABLE_UNLOAD=1 NSS_DISABLE_ARENA_FREE_LIST=1 but I couldn't repro on my machine with those flags even in 200 iterations.