> Every time you visit a page the OS/browser doesn't go up the entire chain of trust and check for constraints.

Oh, certainly they do. Name constraints work just like that: https://tools.ietf.org/html/rfc5280#section-4.2.1.10

So does Extended Key Usage in practice, although it's not defined that way.

There are some platforms where name constraints aren't implemented, but CAPI (Windows) certainly does implement it and I believe that NSS does also.