Hello again,
I have understood a few things lately, and this issue is addressed by the “new” authentication workflow described at https://github.com/solid/authentication-panel/blob/master/oidc-authentication.md.
Indeed, the openid provider now signs a token binding together the application’s origin, the webid of the user, and the public key of the user. So under the new Multi-RS use case, it will be easy to check that the app removed the Origin header.