[otoburb]

Consider the circumstance where a carrier portal sits on subnets owned by the carrier. In this case, unencrypted HTTP requests to the portal originating from the carrier's proxy are usually considered trusted.

In such a circumstance, carriers may consider this "trusted".

[naz]

That's true. I imagine they'll be considering some third-party sites trusted too.

[mdpye]

I believe that in cases where the third party site lies outside the carrier infrastructure and the header is plain text (some carriers encrypt the value), a carrier<->site operator VPN is required.

People shouldn't really be surprised that ALL mobile web traffic is heavily proxied (and transformed, by default). You probably wouldn't want to experience a direct net connection as flaky as mobile ones actually are.