-CAfile option doesn't do what you expect:
-CAfile file
A file of trusted certificates. The file should contain one or
more certificates in PEM format.
it override the ISRG root X1 from trust store to ISRG-signed_by-DST because it's same identity: but non self signed certificate can't used as root in openssl verify unless:
-partial_chain
Allow verification to succeed even if a complete chain cannot be
built to a self-signed trust-anchor, provided it is possible to
construct a chain to a trusted certificate that might not be self-
signed.
option is set