JDK-8278449 (https://github.com/openjdk/jdk/commit/9ce2d75d0b5a98fe0d223a2f070b7b0f0fa89322) changed the behavior of the MacOS Keystore implementation (KeychainStore, provider "Apple") to only show certificates with proper trust. This was also documented in the release notes, e.g. here: https://www.oracle.com/java/technologies/javase/17-0-3-relnotes.html#JDK-8278449

However, the implementation seems flawed as not all possible trusted certificates are loaded. With the current code (https://github.com/openjdk/jdk/blob/2adb3b409e8cc87685a4379be3f7beeb53706e2e/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m#L440), certificates are only loaded if a trust record in the "user domain" exists. This however is not sufficient, as there might as well be records in the domains "admin" or "system".

Further details can be taken out of the MacOS API documentation:
https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
https://developer.apple.com/documentation/security/sectrustsettingsdomain

The following example program can be used to display the Keystore contents from the MacOS key chain:

--------------
import java.security.KeyStore;

public class MacKeyChainStoreTrustDemo {

        @SuppressWarnings("nls")
        public static void main(String[] args) throws Exception {
                KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
                keyStore.load(null, null);
                keyStore.aliases().asIterator().forEachRemaining(System.out::println);
                System.out.println("size:" + keyStore.size());
        }
}
--------------