Hi Paula

As I read it the user with the new role in the certificate would be the one appearing on the certificate as they are the closest role assignment context to the certificate activity

The other roles with the  moodle/course:update would be at course level so would continue to be able to update the certificate as they still have the permission it is just at a higher context .

Regards