Right, the fact that the initial scratch buffer is untrusted is a bug AFAICT. I'm considering adding a workaround to this issue in trust-manager, although ideally it should (also) be solved upstream.