From memory, I believe GSMA (the industry association that helps to keep mobile technology dominated by carriers that hold exclusively licensed spectrum, if you're cynical) require everyone who provides eSim to have been security audited. They can then get access to a trusted certificate that will be able to sign the handshake to the embedded security module (eSim).
It's complex, but remember that in the traditional world view of mobile, the carrier "owns" the SIM, and the handset, and the network itself. When the carrier can't control the SIM in its entirety, you need to have someone brokering the relationship here between everyone - otherwise a carrier coming onto a device may lack confidence the device isn't compromised by the previous network that served it.
It's complex, but remember that in the traditional world view of mobile, the carrier "owns" the SIM, and the handset, and the network itself. When the carrier can't control the SIM in its entirety, you need to have someone brokering the relationship here between everyone - otherwise a carrier coming onto a device may lack confidence the device isn't compromised by the previous network that served it.
Some information that might help you start look around the topic - https://pages.arm.com/rs/312-SAX-488/images/GSMA_eSIM_Certif...