Yes. The whole *point* is that nowhere in 2.2 does it *say* that (for
example)
the client is in the wrong if it sends a BDAT verb (rfc3030) if the
BDAT extension wasn't listed in the EHLO response.
Recall that RFC 2119 restricts use of imperatives to situations where
they are necessary to ensure interoperability.
(a) that's widely regarded as a bug in 2119 (IIRC it was only included because
one IESG member insisted on it and wouldn't remove his DISCUSS vote until that
text was added) and (b) it's mostly irrelevant to the question at hand, because
nothing requires a document to use 2119 (documents are free to define MUST
etc. as they see fit) and there are other ways to say "do not do this" without
saying "MUST NOT".
more to the point, this looks like a bug in RFC 2821 - I'm pretty sure that
the intent is that clients MUST NOT use extensions that are not asserted
by the server in its EHLO response. something for the errata page?