Yesterday when googling for something else I found something interesting: the difference between code signing and object signing certificate extension.

https://bugzilla.mozilla.org/show_bug.cgi?id=321156#c2:

IIRC, there are two separate definitions for validity of cert chains for signing code.
They are known as "object signing" (originally: Netscape Object Signing) and "code signing".

Code signing has the simpler and less rigorous definnition. It requires that
the EE cert have the code signing OID in the EKU, and that the "trust anchor"
(typically the root) be marked trusted for code/object signing, and that the
chain be complete between the two (all cert signatures verifiable, none expired, etc.)
Code signing does NOT require any special EKU OID in intermediate CAs
(or, indeed in any CAs). It only requires the special EKU in the EE cert.

Object Signing has a slightly more complicated and more rigorous definition.
It is like code signing, except that it ALSO requires that all intermediate
CAs between the trust anchor and the EE cert have a special EKU OID, or
a special Netscape cert type extension with the object signing bit present.

[Abbreviations]
CA stands for "Certificate Authority"
EE stands for "End Entity"
EKU stands for "Extended Key Usage"
OID stands for "Object ID"

To conclude, code signing is subject to less rigorous security check compared to object signing because code signing is only required to be present in the EE certificate but not in each CA certificate in the chain while object signing is required to be present both in the EE certificate and in each CA certificate in the chain during certificate verification.