You <-cert for x sign by ca (fake, gov control)-> gov.spy <-cert for x sign by ca-> x (optional)
To x look like gov.spy is you, gov.spy like proxy. And gov.spy can try force your device connect to gov.spy instead x (dns poison, isp force ip redirect, …). Will look like x (domain resolve to gov.spy ip, but cannot know), have valid cert for x, trusted.
For that, the government needs to be in the middle of the communication channel. That would take a lot more than just replacing the key on the keyserver.
Man in the middle:
You <-cert for x sign by ca-> x
You <-cert for x sign by ca (fake, gov control)-> gov.spy <-cert for x sign by ca-> x (optional)
To x look like gov.spy is you, gov.spy like proxy. And gov.spy can try force your device connect to gov.spy instead x (dns poison, isp force ip redirect, …). Will look like x (domain resolve to gov.spy ip, but cannot know), have valid cert for x, trusted.
For that, the government needs to be in the middle of the communication channel. That would take a lot more than just replacing the key on the keyserver.
Internet rely on dns and ip. CA only relevant for internet communication. Take more, but not much more.