I wish I was more knowledgable about this so hopefully a network TME or other expert replies on this. The 8.1 nag.pdf (network admin guide) https://library.netapp.com/ecm/ecm_get_file/ECMP1113296 has the same quote you listed but goes further to say only HTTP is allowed by default. From the command reference, https://library.netapp.com/ecm/ecm_get_file/ECMM1281126 it says untrusted can't be applied to an interface group...so only a single interface not in a vif/ifgrp. The file system admin guide gives some more information https://library.netapp.com/ecm/ecm_get_file/ECMP1114231 "You restrict HTTP access by marking the subnet interface as untrusted. An untrusted subnet interface provides only read-only HTTP access to the storage system. By default, a subnet interface is trusted."
nag.pdf
Specifying whether a network interface is trusted
You can specify whether a network interface is trustworthy or untrustworthy. When you specify an
interface as untrusted (untrustworthy), any packets received on the interface are likely to be dropped.
For example, if you run a ping command on an untrusted interface, the interface drops any ICMP
response packet received.
About this task
Applications using protocols such as NFS, CIFS or HTTP can choose to accept packets only from
trusted interfaces. If the destination interface is set as untrusted, it can receive packets from untrusted
interfaces. Otherwise, the packets from untrusted interfaces are dropped. By default, only HTTP
allows receiving packets from untrusted interfaces.