Aside from the Required Claims as defined by the specification, the Authorization Server MAY include other Claims in the ID Token and can include additional Claims in the Userinfo response.

That is to say, the specification leaves it up to the implementation exactly what information you return beyond the required. It could make decisions based on the User's preference, what is required by privacy laws, how much it trusts the Clients involved, etc. So Shibboleth is within spec by not including the email in the ID token by default, but so is Keycloak for including it.

As for your question: Querying the UserInfo endpoint for claims you need that aren't present is compliant and seems to be the best way to handle this. Getting more information about a user is part of the purpose of the UserInfo endpoint.