On Linux there's usually a central cert-db, but not sure there's such on Windows.
I'm pretty sure that's not true.
What's the recommended way to handle TLS validation on Windows?
The recommended way is to do nothing. Just use the default GTlsDatabase. [That's implemented here](https://gitlab.gnome.org/GNOME/glib-networking/-/blob/master/tls/gnutls/gtls...) and it just uses GnuTLS's default trust store. Presumably that should work as expected on Windows.