Is it dangerous to add a custom cert authority to a browser?

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, can they do any damage? I mean for example somehow faking certs and stealing my banking password, etc.? Are there such risks with custom cert authorities?