This is by design, and Trusted Hosts is different than the allowed domains in the CORS Settings further down the page in Configuration > Basic Settings.
To limit which domains are allowed to embed the tracking pixel, all the domains and subdomains to be tracked (http and https, non-www and www) should be included in CORS settings. The Trusted Hosts is related to where Mautic is running behind a proxy such as a Load Balancer, which is not the case for most users.
Mautic should lock users out when the incorrect setting is entered in Trusted Hosts, as its a security setting. That’s why the Github issue was closed because the “problem” is due to user error, even though the documentation could probably be improved.