HI @nolma,
As mentioned you can verify that assets are coming from who you expect due to the fact that those are certified and verified with the NNS root key, however, the situation you mentioned could still happen that someone would serve something else from a domain name. To avoid that you can use the Local HTTP Proxy, this proxy takes care of the HTTP Gateway Protocol, but locally in your machine, and for all the domain names that include the canister id in it e.g. {canister-id}.icp0.io, it will not need to do the DNS call as it can get the canister id from the URL and so you won’t have a situation where someone could hijack the domain name.
If you would like to have that same level of e2e security but for accessing custom domains that do not include the canister id in it, then i encourage you to follow the Naming System Working Group, there we are discussing and setting the standards for CNS, our approach at Decentralized DNS Root Servers, once that is established there will be a way to also verify the DNS queries.