Certification-capable subkeys should be held to the same standard as signing-capable ones
I.e. they should need a primary key binding signature. Otherwise, they would allow transitive rebinding of signing keys, the exact same thing the primary key binding signature should protect against.