Hmm. I think (though I am also far from an expert in such things) that the EKUs "allowed" for the root are more a part of how the trust store is configured rather than something about the certificate itself. Are you by any chance using a Microsoft platform for your tests? There was another thread here a couple months ago where somebody was complaining that the ISRG Root is only enabled for Server Authentication on Windows:
But there really wasn't much of a solution offered there. You might be able to add a copy of the root to your own trust store with more EKUs added for systems that you need to use it for, much like one might do for adding a private CA to one's enterprise, but I'm not sure on the specifics how myself.