This is an interesting idea, getting a Root-Cross-Sign valid for longer than the Root itself - I didn't knew that Android wasn't validating expiry dates on trust anchors, but it makes sense from a compatibility point of view.
I only have one concern: Does this work with other devices, other than Android?
Specifically, from what I believe to know (not exactly 100% sure though), old versions of OpenSSL (and GnuTLS) always validate up to the highest certificate in the chain, even if they should know that an intermediate is a valid trusted root. I think they don't have an "early return" like modern browsers, where validation is simply stopped as soon as a trust anchor is reached.
There are blog posts (or things discussed on various bugtrackers) that sound like trouble could happen with OpenSSL and GnuTLS as soon as DST Root CA X3 has expired. The cross-sign signature on ISRG Root X1 will still be valid, but if a client validates up to DST Root CA X3 after it has expired AND checks the expiry date (which isn't done by Android, but maybe OpenSSL/GnuTLS does?) validation will fail. This could apply EVEN if ISRG Root X1 is in the trust store, so validation without the cross-sign will work normally, but with the compatibility extension these devices will fail handshakes starting in late 2021+?
Is this concern valid, or is my assumption about the behavior of old versions of OpenSSL/GnuTLS incorrect?