Back in March iOS 10.3 changed the way manually installed certificate profiles are treated (cf. https://support.apple.com/en-us/HT204477): certificates installed in such a way are no longer trusted by default; instead trust has to be explicitly granted using a switch under Settings > General > About > Certificate Trust Settings.
What apparently also changed is how those certificates are treated by the Security.framework. Prior to iOS 10.3 (where the switch to "Enable full trust for root certificates" was on by default) calling SecTrustEvaluate for a chain containing such a certificate returned kSecTrustResultUnspecified if trust was granted and kSecTrustResultRecoverableTrustFailure if trust was denied. However, in iOS 11 at least - and I suppose ever since iOS 10.3 - this appears to have changed: SecTrustEvaluate still returns kSecTrustResultRecoverableTrustFailure if the switch was off, but if it was on the result is kSecTrustResultProceed. I cannot find any mention of this change anywhere and am wondering whether that was intentional - which would arguably make sense since the documentation for SecTrustEvaluate explicitly states that if kSecTrustResultProceed is being returned "the user explicitly chose to trust a certificate in the chain (usually by clicking a button in a certificate trust panel). Your app should trust the chain."