X.509 Name Constraints

[maffe]

Name Constraints can be used to limit the namespace a CA can issue certificates for. For example, one may have a trusted CA for *.iot.example.org without the CA being able to issue certificates for bank.example.com.

As for support, I found this document from 2016 stating

As of now, Windows CryptoAPI and OpenSSL fully support Name Constraints certificate extension. However, neither of Apple products: Mac OS X, nor iOS does support this extension. Since, Name Constraints is always marked critical, Apple products will reject any certificate that contains Name Constraints extension in any certificate in the certificate chain.

The Archived Results from BetterTLS have more recent data.