Thanks for raising this point! Honestly, I'm not sure. Probably not. Given that localdots is meant to be used only for local development, would this be considered an important feature anyway? I'm not sure I see the security concerns here.
Rather than meddling with putting Constraints on a self-signed root cert, I'd suggest considering automatically destroying the root's private key after making any needed certs. That is, the root's private key exists only long enough to issue certificates for this session, then it's destroyed. If the user changes things you don't re-use that root CA, you distrust it and make a new one, for which the private key would likewise only exist during setup and then be destroyed.
This way the only possible certificates that can ever exist are those created during setup. After that nobody can sign more certificates because the private key needed doesn't exist any more, so you don't need to worry about constraints (which can have compatibility problems e.g. that's why Let's Encrypt X3 and X4 exist instead of X1 and X2 these days)
1: https://nameconstraints.bettertls.com/#!about