The signature algorithm used in the root certificate is not used to establish trust against the root certificate because a root certificate is trusted by the virtue of a copy of the root certificate is installed in the browser, either included in the browser as part of the installation, or added later by the user to their certificate store.
For the rest of the trust chain, including intermediate and end certificate, a root certificate asserts the authority and encoded data in the intermediate certificate by cryptographically signing the signature of the intermediate certificate with its private key. Likewise, the intermediate certificate asserts the authority and encoded data in the end certificate by cryptographically signing the signature of the end certificate. There can be more than one level of intermediate certificates.
If an intermediate or end certificate has a weak signature, then it is possible that an attacker can generate two certificates with the same signature with different encoded information (e.g. looks-harmless.com and your-bank.com). The attacker can then ask a certificate authority to sign one of the certificate (looks-harmless.com) then copied the signature to the other certificate (your-bank.com).
The problem with SHA1 is that it has flaws that renders it feasible for an attacker with sufficient resource to find such collisions.
In your example, if intermediate Certificate 3 has SHA1 signature, then it is vulnerable to this attack. If the scanner didn't flag this chain as untrusted, then it should have.