Confirming what has been said above, in fewer words:
- In general, Root Certificates do not contain EKUs specifying their uses; EKUs are generally found only in Subordinate CA (Intermediate) and Subscriber (End-Entity) Certificates. Specifically, neither ISRG Root X1 nor DST Root CA X3 contain any EKUs in the certificate itself.
- Root programs tag trust anchors with the usages that they allow that anchor to be trusted for. It appears that the Microsoft root program has DST Root CA X3 tagged with many uses, while it has ISRG Root X1 tagged with only the Server Auth usage.
It is not clear to me personally why ISRG Root X1 is not tagged as being trusted for Client Auth in the Microsoft Root Program, but I assume some of the other folks here know. I'll work with @josh to get a better understanding of why this is the case, and whether it can be changed.