I think I have. It was one of the reasons I wanted to add to add PEBBLE_CHAIN_LENGTH.
Check out the certificate chain of https://www.gogetssl.com. Or better yet, this screenshot.
USERTrust RSA Certification Authority is both a root and a cross-signature by AAA Certificate Services.
If I understand the new rules, I think the cross-signed version of USERTrust RSA Certification Authority doesn't need to have any EKUs.
Though as you already brought up, that might depend on whether there is any distinction between Subordinate CA vs Intermediate Certificate.