Yes, I learned in the Zulip promo discussion earlier this week that self-hosted push notification servers have to have certs compiled directly into the app. I can't tell if it's malice, indifference or incompetence to have that design; any answer is completely believable.

Is there an architectural opportunity to build a "Self-hosted push notification" app and business, where the push broker builds an app to deploy to play, then the self-hosted apps build trust with the broker. The broker app sends push notifications to the user device, which can inform them of the message sent and open arbitrary app windows?