POD provider Origin also trusted by default?

The error message in https://github.com/EFForg/privacybadger/issues/2240#issuecomment-446429064 made my think about the following: May it be that a apps on user's POD on a multiuser setup, e.g. https://testpb.dev.inrupt.net/ will not only load from self, but also from the Provider's https://dev.inrupt.net/ ? In which case the latter should also be trusted by default?