The urllib backend of Package Control uses the Python
_ssl module, which is based on OpenSSL. To verify the certificate of a server, it needs a list of CA certs to create paths back to. Linux machines have these, in general, since most use OpenSSL in some form. On Mac and Windows machines, they have their own lists of CA certs in their own format. For Macs we always export the certs into the format for OpenSSL. On Windows by default we use the WinINet API for secure connections, which does not require a list of CA certs in a file. If that fails, we try to use the urllib backend, which does require exporting the certs.
CA certs are publicly available, and exporting a list has no security vulnerabilities. The only security issue would be allowing Package Control to add a CA cert to your system, which is not supported or implemented.