Deploying certificates with MDM currently has a major limitation that you can only deploy certificates into the login keychain of the "MDM user" which is normally the user present when the device was enrolled.
Does declarative device management certificate management address this at all?
On MacOS, MDM has a device channel and a user channel. The latter can be used to manage one local user only. Certificates installed on the device channel will go into the system keychain, and certificates installed on the user channel will go into the user (login) keychain of the (one) managed user. There is no way to target the keychains of other local users.
Since declarative device management is built into MDM, it uses the same device/user channel model that MDM has. So, as with MDM, a certificate installed by a configuration on the device channel will go into the system keychain, and one installed on the user channel will go into the user (login) keychain of the (one) managed user.