Google's fully homomorphic encryption package

Although it's usual for larger Certificate Authorities to secure a tit-for-tat deal to use each others CT logs with appropriate availability guarantees, most CT logs very much are public in the sense that anyone can submit a "change".

It's just that the only allowed "changes" are logging certificates with specific characteristics, and in many cases all the interesting certificates have been logged. You can't log the same certificate again.

Historically, prior to the mandate, and to a lesser extent up until this month (at the end of May 2021 near as I can tell the last possible certificate that could have existed, trusted in the Web PKI without ever being logged, would have expired) it was possible to find certificates out in the wild which hadn't been logged and go log them. But by 2017 or so you'd need to be on the ball because Google's spiders, the ones which power the search engine, were doing the same thing.

If you have money, and thus can afford to make it worth their while, a CA can sell you (No Let's Encrypt doesn't offer this, they could but there's no obvious reason why you should want it or why it would be in their interests to offer it) a certificate which hasn't been logged, even now. The mandate from Chrome isn't a root store policy, it's just a mandate for Chrome. You can then submit that certificate to logs yourself, the CA which sold it to you likely has some suggestions for where to do that. So long as you keep your receipts (SCTs, everybody else's are burned inside their certificate, but since yours was not logged when you received it, it's too late for that) you can prove this certificate was properly logged and it will work just fine.

Google does that, for some of their systems. But they know what they're doing (or at least, they employ teams of people to know).