Prior to J3.6, if some extension or library for some reason makes a call the JUser::authorise() method then the 'isRoot' was populated and was made available to all subsequent page loads due to the persistence. It anyway was never applicable for other user than the one logged in.
But this is not the correct thing to rely upon some other code to do something that you require.
So you must make a call to $user->authorise method before you should rely on isRoot parameter. But I wonder, why would you use isRoot when you anyway have to call authorise.
Better to follow what Hannes already said. NEVER use isRoot attribute as it is strictly meant for internal optimisation.
--