Certificate policies are specified in trusted identity along with trust. Some certificate authorities contract with Adobe to include their trusted root certificates in Adobe-sponsored list, which Acrobat/Reader may periodically download and update from Adobe server. Each certificate authority specifies which certificate policies to include in their certificates. So in the case of "DoD Root CA 2" it is DoD that sets certificate policies for their certificates and specifies Policy Restrictions in this trusted root identity when it is included in the Adobe-sponsored list.
As to why DoD issues signing certificates with policies other than those defined in "DoD Root CA 2" trusted root included in the Adobe-distributed list, I can only speculate that perhaps DoD has some internal mechanism of distributing trust lists, like GPO-controlled, and that the ones that they distribute internally may indeed have certificate policies in the signer certificate in the PDF that you received. The goal here is to restrict which document recipient may get a valid signature.
Of course, one can go to Acrobat UI and change the Policy Restrictions, but this requires some work and knowledge how to do that.
Some organizations distribute internally different trust lists to different divisions, so that only signatures with Policy Restrictions specified for a specific division get validated as Valid out-of-the-box, but not when the same signature is validated in a different division. Adobe-distributed trust list contains only Policy Restrictions applicable to everybody.
Thanks for the reply.
Just to make sure I'm clear, DoD is essentially telling Adobe which certificate policies to associate with DoD Root CA 2 when it's included in Reader (or other Adobe products)? The DoD Root CA 2 certificate itself has no certificate policies.
This is correct.