Correct. In the current state of the code automatically inserting the certificate is still VERY risky because I haven't implemented certificate security checks yet.
If the checks are not in place. any [npub].nostr could publish a self-signed certificate with *.google.com and your system would trust it. Allowing a MITM attack.
Just be aware of this when testing. It's very experimental.