[nickf]

"...because they have very limited use in public CAs" Not really. It was/is mostly because NCs aren't 'widely' supported, even now. Name Constraints (referred to as 'Technical Constraints') allows - currently - a public CA to issue a CA certificate with NCs to a third party who then wouldn't require the full panel of WebTrust audits. It's very rarely used, and the one I dealt with eventually got wound down for myriad reasons including how tricky it really is to run a public CA, even a constrained one.

Some solutions (ADCS) obeyed name constraints when signing, but that doesn't help much.

Also - checking the cacert bundle isn't really a good test - that's for roots and you'll not find name constraints there. You'd better look at the thousands of issuing CAs (but the number is still tiny).