What are the risks of installing a root certificate from Facebook on your phone?
Do you trust that Facebook and everyone they sell the data to will not use it for evil?
Allowing Facebook to install a root certificate on your phone makes it possible for them to intercept any and all communications, even encrypted ones. They will be able to view everything from arbitrary private conversations to banking transactions or online purchases. They will be able to record every password you use on every service if they so wish, even if the password is being sent to a secure website using HTTPS for encryption. You have no way of knowing how they will use this data or who they sell it to.
Facebook makes money not just through advertisements, but by collecting personal information and selling it to the highest bidder. This includes advertising and profiling companies as well as "foreign" governments. The information can be used to formulate the best ways to manipulate you in the future, either to buy a product or to vote in a certain way, as has been done by Cambridge Analytica.
Do you trust that the security of this app is sufficient that hackers cannot exploit it?
Even if you trust Facebook and everyone they sell to not to use this power for evil, there are countless hackers who would love to take advantage of this fact. Normally, your system only trusts root certificates that have gone through extreme scrutiny, having gone through a key ceremony for improved security:
The actual root key-pair generation is normally conducted in a secure vault that has no communication or contact with the outside world other than a single telephone line or intercom. Once the vault is secured, all personnel present must prove their identity using at least two legally recognized forms of identification. Every person present, every transaction and every event is logged by the lawyer in a root key ceremony log book and each page is notarized by the notary. From the moment the vault door is closed until it is re-opened, everything is also video recorded. The lawyer and the organization's two signatories must sign the recording and it too is then notarized.
Web browsers will not accept root certificates from any entity which has not gone through such extensive measures to ensure the root certificate is secure, but by installing this "Facebook research VPN" and root certificate, you are completely bypassing this process. How much security do you think Facebook has actually put into guarding the root certificate that they are asking you to install?
It's really less about what you have to hide and more about the chilling effect that happens when one corporate giant gets an unfair share of information - like the WhatsApp purchase mentioned in that article indicated. Any mega corp knowing exactly who their biggest competitor at every point in time is a scary thought. It would be one thing if everyone knew it, or even if all of the fortune 500 knew it. But having that kind of information in the hands of a very few companies is frightening.
That is, incidentally, what I feel the scariest thing is about Google, because knowing everything at every point in time is kind of their shtick.