reading through dirmngr/http.c and dirmngr/ks-engine-http.c, it appears that HTTP_FLAG_TRUST_SYS is being unilaterally set.
This is probably inappropriate in instances where the target is the SKS HKPS pool (hkps.pool.sks-keyservers.net) because we know that that pool should only be authenticated by @kristianf's CA.