If the employer had physical access, what would prevent them installing a rootkit? Then you couldn't detect a fake certificate no matter what you tried. Or deeper, if you distrust the provided software, what makes you trust the hardware? It's turtles all the way down ;)

I'm not talking about anything shady here. We're told that they're going to update our desktop SSL certificates for this reason. Partially CYA, partially compliance/legal. I'd probably quit if someone were keylogging or screengrabbing my work machine without my knowledge, but I'm not talking about employers being sneaky.

And this is exactly end-to-end encryption that the original thread responder mentioned; I know it's in place so I won't connect to my personal accounts from the work machine. That's what my phone is for (and I won't use their wifi for my phone, either).

Yes, but assuming partial good faith (this does sound like an oxymoron, but humor me) - how would I go about checking for cert misuses?

The OS should have a trusted CA list somewhere (not sure where OSX does); checking that it matches a fresh install should be the first step. Note that there might be multiple lists - Firefox, for one, tends to keep their CA list separate.