It occurred to me during the night that zlint probably implements this rule. This morning I went to run zlint against the new cross-signature ... and it's been removed from the website: Remove IdenTrust cross-signatures for R3 and R4 intermediates · letsencrypt/website@4123253 · GitHub
zlint does flag the new cross-signature under that rule, though only at the info level because apparenty the linter doesn't know whether it's a cross-signature or not.