The underlying XRD files will be retrieved via SSL when possible, with fallback to normal HTTP. In the latter case, the XRD files need to have valid signatures in order to be seen as secure.

The XRD subject is also verified. When it does not match the host name of the email address, then the information are seen as insecure.

You should not trust the information if they are not secure.

require_once 'Net/WebFinger.php';
$wf  = new Net_WebFinger();
$react $wf->finger('');
if (!
$react->secure) {
"Those data may not be trusted\n");

You often still want to use the data, since not all hosts have SSL enabled.