for example Lenovo did it so they could inject ads into web pages that were supposedly cryptographically protected from tampering
This makes no sense. Why do you need your private key to be located on the users' computer for that?
Why because you can't defeat the certificate checking logic of the local SSL stack. You need 'a' private key there for a trusted root CA so you can generate certificates on the fly other parts of the system will see as valid.
Browser tries goolge.com -> You intercept it -> You go fetch the cert from the original destination ip -> you validate it or don't -> you generate a new cert based on the content of the one you got and sign it with the private key -> send the response to the browser ( which then validates the cert checking it against the local trusted root you installed).
That is it in a nutshell. There are some other details but basically that is how its done and that is why you need the local private key because without you could not generate signed certs.