What I mean is, I cannot set a policy that emails with DKIM signatures that allow length extension should not be trusted.
That's up to your MTA though. I know Stalwart has an option for it for example, but there are others.
Thinking about it, I guess you're right. While I'd like some way to say "never trust a DKIM signature claiming to be from me if it allows extension", the reality is that the only way for somebody to get their hands on such a message is if my MTA produced one in the first place.