Granular control over certificate trust settings

**TL;DR** I'm looking for a way to granularly control whether MacOS trusts a certificate for each individual purpose specified in the Basic Constraints (2.5.29.19), Key Usage (2.5.29.15), and Extended Key Usage (2.5.29.37) extensions. ---- Consider the following (example) certificate:

-plain
-----BEGIN CERTIFICATE-----
MIIHQjCCBSqgAwIBAgIUXTOrFr7KK9eWudfZZTJRPI5U9/IwDQYJKoZIhvcNAQEN
BQAwgekxCzAJBgNVBAYTAlhZMRIwEAYDVQQIDAlOZXZlcmxhbmQxGTAXBgNVBAcM
EEltYWdpbmF0aW9udmlsbGUxHzAdBgNVBAoMFkltYWdpbmFyeSBPcmdhbml6YXRp
b24xIjAgBgNVBAsMGVB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUxKjAoBgNVBAMM
IWltYWdpbmFyeW9yZ2FuaXphdGlvbi5leGFtcGxlLmNvbTE6MDgGCSqGSIb3DQEJ
ARYraW1hZ2luYXJ5QGltYWdpbmFyeW9yZ2FuaXphdGlvbi5leGFtcGxlLmNvbTAe
Fw0yMzEyMzAyMTQ2MDRaFw0zMzEyMjcyMTQ2MDRaMIHpMQswCQYDVQQGEwJYWTES
MBAGA1UECAwJTmV2ZXJsYW5kMRkwFwYDVQQHDBBJbWFnaW5hdGlvbnZpbGxlMR8w
HQYDVQQKDBZJbWFnaW5hcnkgT3JnYW5pemF0aW9uMSIwIAYDVQQLDBlQdWJsaWMg
S2V5IEluZnJhc3RydWN0dXJlMSowKAYDVQQDDCFpbWFnaW5hcnlvcmdhbml6YXRp
b24uZXhhbXBsZS5jb20xOjA4BgkqhkiG9w0BCQEWK2ltYWdpbmFyeUBpbWFnaW5h
cnlvcmdhbml6YXRpb24uZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDH+nD8CO78AY0dHgqQsvgYPXcla2xBwI7/1sVUnPLMTr8l/QOK
y0pcKOwsSH0YKhGSy6IP7iARkjCIhEaAIRmoiMo2NbU6Vj1mcVq4MfVPKsiBTZk4
5G+xMryaFGy7Uobqp7VQmPA72PdqOShsjJbtAd6Jlkj8ZIclF3KM+QO8nLjx/MAY
LpciFv+wPoZykg9eK0loEgPEwOYLOKHDqfNOwhyx9ZqNE5Fi638GbzXtkn5PRP/N
foXMBcx6G95FkW+BeS7OkBdm4JdXjxscQf+MxhKywzwc5/pZtUFxgEUa4cCYVJ3f
3tpubihZbdOiVWW3Q7AIbKsjsLToI8BRYAouYeFtiho9pJl7lUtz/aPxt7D49OqP
sUQVwlVan3xkmWyLV4W/zdxyGwd+XBMUn5L66lTeAYQ4OV0c4K8jPUiSe2/sTRZS
xV2XarShKBYPEnJM0xmGr7L89E96zLLFDUNq6Pn32O08xFopeIUpGbZDdHBwh0WZ
j6vLA2zyDhMVu5fCUFqeQbeDTLrQ5ZC6Oel0hew8x0SZhhv9J+LJnH4SJgjcEROM
sxrikvgZKpsLQlvB+BTWMJuylbrZRKuUNwNYigGmfVLU6x+nCMjqbKyEBmtkeOQn
aKY/xNWOr8azYlvgU7wpxsjZGZdMir2StIm2LVyUg0YwvyDs8H6UVYHhHQIDAQAB
o4HfMIHcMB0GA1UdDgQWBBQdb+QMmYKiMK5KefpVMTNb3H5xnTAfBgNVHSMEGDAW
gBQdb+QMmYKiMK5KefpVMTNb3H5xnTASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1Ud
DwEB/wQEAwIB/jB2BgNVHSUBAf8EbDBqBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsG
AQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEFBQcDEQYK
KwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYKKwYBBAGCNwoDBDANBgkqhkiG9w0BAQ0F
AAOCAgEAkNJ+cNETwLyPsk5NzEY2awWAByD6FATDlwweukbPJbxrCWt1ZWZaJot+
cxuRbmu2Ef+hBqvdq6nACPIiGS3H5ojG/bikZ0ez637XM58p8O5zVkukTF0e8QBA
txNTgXDMgHcdPso8oI3+1KqOynBj07SYKrVxacnuHOdh3srcd3XVg5b149YY+8GE
jepVaGfxN2qO5BHDgFwuBvBPyO1CrNmqT7vBGpYwpCsu8MslgpzCUPmiP3cP46n9
AZzJ7GMRTvoKEJ8q4544q4oIR9aCS/bsN9qu0go1i+J01t+XxTvGAyCnRmh6DLI2
bMTQYqd+bInEVtEvTN2w5B6hFRgLNQOjS15NHkZahSOQiesJsr8f1jbI7ucxA6dq
ZUaofBNOOASx69hMXwjPwR0Gd0mIrFxJtkBGI8CeysATj686qArgtSmt7RB3aTTm
30JE7y0FjTe47+UI+8NWGxfwk2Qo2eHo9n+sncO+9F3Zd6obiChcaK5YXPSHfEVo
4CVIB2BMy4aspDiMkPza9d5vs3KW0AVPHgaN7pnvDs99kzjbYbG6vJMu+ssEOMa0
S8fzYglgwo6I2lcKNXCmGG1UoXUYmv7LljLW+u6NCiC9MBvyix8WYf1M4yCf45iE
3Xrmsc/Yx+ua9hDaY5sUvkdeVOFBWGDtbHCjOxnwtguLlDWvBDA=
-----END CERTIFICATE-----

I would like to trust this certificate for the following purposes: - Securing connections to imaginaryorganization.example.com - Signing emails from and encrypting emails to imaginary@imaginaryorganization.example.com - Signing code but **not** for the following purposes: - **Acting as a certificate authority** (despite the fact that the certificate claims in the Basic Constraints extension that it is a certificate authority) - Time stamping - OCSP signing - CRL signing - Certificate signing **How can I accomplish this?** Keychain Access only gives a [very limited set of options](https://support.apple.com/guide/keychain-access/kyca11871/mac/14.0) for certificate trust settings. ### Bonus questions - Is there a way to trust a CA for signing S/MIME certificates but **not** for authenticating client-server connections (or vice versa)? - Is there a way to trust a CA for signing certificates only belonging to a certain domain or subdomain, or to a list of domains or subdomains?