pull down to refresh

It’s still a form of verification, as you show from your example. It verifies control of the server and DNS for the specified domain.
Maybe clients should display a “potential spoofing” warning if the username contains a domain that doesn’t match where the nip05 is hosted. That’s different than saying it verifies nothing.