Whether the user's trust policy failed to load (see read_error).
Callers gating on trust MUST check this and fail closed: a failed load
means a configured deny may be missing, so whole-config project trust
must not be honored. Named so the fail-closed contract is discoverable
rather than resting on every caller remembering the read_error
sentinel.