Only use `webpki` certs despite enabled `rustls-tls-native-roots` feature

[daxpedda]

I would like to have more fine-grained control over the root certificates added regardless of enabled crate features. ClientBuilder::tls_built_in_root_certs() (added in https://github.com/seanmonstar/reqwest/pull/1150) only allows to disable/enable all of them.

One solution would be to disable all of them and add any desired ones yourself. This didn't turn out to be ideal because webpki offers already parsed certificates, but ClientBuilder::add_root_certificate() takes a Certificate, which only takes DER or PEM encoded certificates.

Suggested Solutions

1. Add a new method, Certificate::from_rustls(), to Certificate, which takes a OwnedTrustAnchor. This would make it easy to add arbitrary root certificates to rustls without having to serialize them to DER first, only to have them deserialized by rustls right after.
2. Add new methods to ClientBuilder allowing for more fine-grained control over which built-in certificates are added. E.g. ClientBuilder::tls_webpki_root_certs() and ClientBuilder::tls_native_root_certs(). Potentially removing ClientBuilder::tls_built_in_root_certs() completely in the next version.

I actually find both solutions could work quite well simultaneously.

[seanmonstar]

We could do something like no_gzip(), no_proxy(), etc, where even if a feature is enabled, that ClientBuilder will not use them.

[daxpedda]

Will make a PR shortly.

[charliermarsh]

We also had this need in uv and ended up doing the configuration out of reqwest: https://github.com/astral-sh/uv/pull/2362. It would be great if the builder API supported this!

[seanmonstar]

After a change in mind as to how exactly to expose this, there's a new PR at #2232.

[charliermarsh]

That looks great. We'll definitely use it. Thanks @seanmonstar!