I received a response from 360 today, but their response is confusing.
The final response I got after communicating with them was:
OCSP and CRL are required, but CRL is not for website certificates, only root certificates and intermediate certificates
So ISRG Root X1 meets the requirements, and 360 Browser CA Policy section-10 is wrong.