That's a good point.
Maybe not. I'm not convinced that these distrusts were ever implemented in Android's security provider. (Outside of the stock AOSP browser and Chrome, that is).
For example, this site has an unexpired Symantec certificate which is supposed to be distrusted.
Firefox and Chrome both complain about it.
On the other hand, I can quite happily connect to that site using a simple HttpsURLConnection in a demo app on Android 9 
.
Sorry, I get that this is moot by now and devolves into a philosophical discussion about how to securely cope with running an app on an old OS. I thought it'd be worthwhile to check and share what Android/AOSP actually does, especially since there appears to be no public authoritative information on the topic.
curl (built with either nss or openssl) doesn't seem to care either, if we want to draw comparisons to how popular tooling in the ecosystem operates.