The answer lies in provisioning profiles and not certificates or their authorities.
There's no such thing as an Ad Hoc certificate. There are only Distribution certificates and Development certificates. This is true for Enterprise accounts too, whose certificates are exactly the same (aside from account of provenance type). So Ad Hoc, App Store and Enterprise are all distribution certificates. All your certificates are signed by the same authority: The Apple Worldwide Developer Relations Certification Authority, and as such they can't have different root CAs.
The differences lie in the provisioning profiles themselves, which are simply plists signed by Apple. iDevices trust some part of the WWDR certificate chain (the root CA?) and if the signature checks out, the provisioning profile is interpreted and a decision is made on whether a given app can be installed or run.
Provisioning profiles say who can run what and on which devices. They're signed by Apple so a device can verify what they say.
The differences between the profile types that I can see are:
Enterprise profiles have
<key>ProvisionsAllDevices</key>
<true/>
Ad Hocs have
<key>ProvisionedDevices</key>
<array>
UDIDs! You do, in fact, need to specify them for Ad Hoc!
</array>
And App Store profiles appear to have no special provisioning information. In fact I'm not sure they ever actually get installed on a device.
The command security cms -D -i your.mobileprovision
is useful for exploring provisioning profiles.