Correction: the distrust applies to site certs, with Symantec & partner CA's. The distrust doesn't apply directly to root certs, as I previously stated/understood. Logically the two distrust patterns are very similar: if you distrust all the site certs issued by a CA, it's very similar to distrusting the CA itself.
The warnings appear as !Warnings on the top taskbar, in the console, and look like:
The SSL certificate used to load resources from https://… will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
The link goes to the 9/11 Google Security Blog article given in my first post.
Although the warning refs M70, some certs will be distrusted as early as M66, see the 9/11 article.
I've only seen one warning message. There may be variants for related cases.
Here are two sites mentioned in the Chrome Help forum that, as of 12/5, triggered the alerts. When the sites update their certs (which may be soon) the warnings won't appear.
ASFAIK: The gate for triggering the distrust and warnings are specific to Chrome. Other browsers are implementing similar restrictions. I haven't seen a statement of the logic triggering the warnings, other than the descriptions in the 9/11 article. This 8/29 AKAMAI article talks about their CDN update details, and highlights some of the internal issues.