That line has a different problem, mainly that the author has never heard of mktemp -d. The DIR=${TMPDIR}/trustroot.$$ is just a lazy way of making a unique directory to put a bunch of certificates in. It should work fine assuming there are no malicious users on the system creating a bunch of trustroot.12345 directories and filling them with evil certificates hoping they’ll get added the trust store when the sysadmin runs the script.
TMPDIR on the Mac might even be specific to each user, in which case I’m being overly cautious, but mktemp would be the far better solution on most Unix-likes, where TMPDIR is going to default to the 1777 /tmp.
The directory is being created because the rootcerts.pem file needs to be broken up into it’s individual certificates, and then each individually added to the trust store; which is what the loop does.