No you never do that. The remote service has it own secret key/password you never get to see. it logs in with ITS credentials. It has webid. You only give it the read/write/append access you want to explicitly give it, using the ACL system as it stands right now.
It is really important to distinguish the different cases. The origin header is only used with web apps. Web apps are not trusted. Now. In Solid. right now. The browser always restricts the script as to what it can do, and alerts the server. For a web app, the browser forces the origin header, and the app can’t turn it off. For any other case it is unused and irrelevant. You wouldn’t bother spoofing it, you would remove it, and then be a trusted app.
Yes, that is typical in a lot of systems. We could add this workflow. We would have to design it so that the remote service has a webid, as we would need to put that into the ACL system to grant it access to things.
(Down the road, it may be used to have a form of profile for an app, logging in as an agent, where it can declare itself as a (say) corporate agent rather than a human agent. (It could also down the road put digitally signed certificates that he service has been vetted as being benevolent, and thing like that.))