The spec doesn't explicitly prevent introducing Predefined/Subtype extensions when defining a new STIX object, but it should be more fleshed out in the spec.
Also, there is some text (see 11.3) that "STIX supports user-defined custom extensions for STIX Cyber-observable Objects (SCO)" and "Note, custom extensions can only be used with SCOs.". New SDOs types should be able to define Predefined/Subtype extensions also. Because that text is not normative, it is not prohibited to do that in STIX 2.1 (this was done with the Incident core's new SDO impact). It also is describing "custom extensions", which are not what Predefined/Subtype extensions are in this context.
The spec doesn't explicitly prevent introducing Predefined/Subtype extensions when defining a new STIX object, but it should be more fleshed out in the spec.
Also, there is some text (see 11.3) that "STIX supports user-defined custom extensions for STIX Cyber-observable Objects (SCO)" and "Note, custom extensions can only be used with SCOs.". New SDOs types should be able to define Predefined/Subtype extensions also. Because that text is not normative, it is not prohibited to do that in STIX 2.1 (this was done with the Incident core's new SDO impact). It also is describing "custom extensions", which are not what Predefined/Subtype extensions are in this context.