Can't browsers at least restrict CAs like WoSign so that their roots are only accepted for .cn domains?

I realize that X.509 name constraints are utterly broken, but that doesn't mean that browsers can't manually restrict the domains that a given root is accepted for.