There will be things that are security capable, things that are not security capable, and things that are somewhere in between. What those things can do, and how much an application can trust a given thing should therefore be tiered based on the security capabilities that the thing can do, and what the thing is willing to do in a given context.