The existence of leaked platform signing certificates breaks a core Android security feature: the application sandbox. Theoretically, a malicious actor with the leaked cert can sign an app and declare the shared user ID Manifest element to run in the same process as 'android', ie. the operating system process.
