Hey! thanks for the response, I edited my post and hopefully it's a bit clearer now 
From your link, I'm starting to think that my initial assumption about the trustedIps list was wrong.
Perhaps when the list is empty it means "trust everyone" and in order to "trust no one" I should add an impossible IP to the list.
I'll give that a shot and report back here!