RequestError (x509: certificate signed by unknown authority) on attaching workspace when using a certain job image

I’ve got a reproducible build failure when a particular off-the-shelf Docker image is specified for a job in config.yml. The image, kcov/kcov:latest, is downloaded successfully in the setup phase, and I can also download it locally without problems. However, the attach_workspace step fails with an error:

Error downloading workspace layer for job a491b12f-1e3d-41f6-9568-4460eecf7f8d: RequestError: send request failed caused by: Get https://circle-production-customer-artifacts.s3.amazonaws.com/?list-type=2&prefix=picard%2F5a9c03d706e7a707755d9bba%2Fworkflows%2Fworkspaces%2Ff462365f-46d0-40ee-8063-2981ae991a43%2F0%2Fa491b12f-1e3d-41f6-9568-4460eecf7f8d: x509: certificate signed by unknown authority

Replacing the job image with ragnaroek/kcov:v33 makes the problem go away.

It looks like a manifestation of a known problem: https://support.circleci.com/hc/en-us/articles/360016505753-Resolve-Certificate-Signed-By-Unknown-Authority-error-in-Alpine-images?flash_digest=39b76521a337cecacac0cc10cb28f3747bb5fc6a

An odd thing here is that CircleCI has to rely on in-container environment to download the workspace. Why can’t it be done completely outside of any customer’s container images via Docker volumes, so that any off-the-shelf container image can be combined with a workspace, regardless of whether it has the necessary CA certificates provisioned?