@verius In the case of a malicious server publishing false aliases neither of the other profiles you use (previously stored with remote nodes as verified/recognized as "yours") would acknowledge the newly added alias and thus the trustworthiness is low and it does not get (at least automatically) accepted.
Or similarly to #OpenPGP where the only way you can trust someone is who they say they are is to either verify yourself, or use verified and trustworthy friends.
This is why I said a heckofalot of logic is required. Also human interaction. This is also the reason no ordinary mortals bother with #OpenPGP and just trust centralised authorities instead. Because humanity is fucked up lazy.