My understanding (and again, I am far from being an expert, I'm just an enthusiastic amateur), is that at least in the way Microsoft's trust platform (the Crypto APIs built into Windows and such) work, the answer is no: roots can't allow intermediates to do more than themselves. That is, in order for a specific EKU to be "allowed", it needs to be contained in not just the leaf, but also in the entire chain of intermediates up through to the root. And which EKUs are allowed for the root is determined by the trust store database, not something inherent to the self-signed root certificate itself.
That is, if you look at the "txt" format of the intermediates on the Chain of Trust page, they say "X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication". But the roots on that page, whether self-signed or cross-signed, don't list an "X509v3 Extended Key Usage" at all.
My understanding is that Microsoft's approach of needing the EKUs to be there up through the whole chain is not always what's done by everybody else, but isn't "wrong". This is one of the areas I'm really fuzzy on, though.
But I think all the root stores do something like this: Mozilla's trust store separately determines whether a root is trusted for TLS, S/MIME, or both. And Microsoft's trust store here is specifically saying that the root should be trusted for Server Authentication, but not for other usage like S/MIME or Code Signing. Which makes sense, because Let's Encrypt's root isn't "supposed" to be signing Code Signing certificates and isn't being audited for such, so it's safer to not allow that usage.
But, it seems like Let's Encrypt's root is "supposed" to be signing Client Authentication certificates (or at least, that's in the EKU of their intermediates and leafs), but it's not "trusted" for such in Microsoft's root store. So, if using Microsoft's APIs to validate certificates, if one wants to do a mutual TLS type thing of both the client and server sending their certificates, it doesn't work. One would need to use a different Crypto library with a separate trust store (like say, using Mozilla's libraries or OpenSSL, just for some examples), rather than the stuff built-into the OS. And if integrating with other Microsoft products (like IIS), might be tough-to-impossible to get working at all.