A trust store is a list of root certificates (sometimes called trust anchors) that comes pre-installed on a device. It’s composed of more than a hundred of the largest and most trusted CAs such as Digicert, Apple, Microsoft, Symantec, Mozilla, Lets Encrypt, and more.
It serves a couple of very important purposes. First, they sign (validate) the identity of the device for other certificate authorities. The root CAs know the public key of the device and can confirm to any third parties.
Secondly, they “inoculate” the device with trusted certificate authorities. Without pre-installed certificates, the device would have to accept a certificate that wasn’t initially verifiable and just “take their word for it”, and that would be a potential vector for malicious actors to inject a false certificate.
Certificate authorities rarely sign certificates using the root CA directly. Instead they put one or more levels of separation between themselves and the client by creating intermediate certificate authorities. Intermediate CAs are functionally identical, but they have less “authority” because they are responsible for signing fewer certificates. Theoretically, they are just as trustworthy, but in the case that they are compromised, it limits the damage that can be caused.