Solid servers may fetch the user’s webid document to confirm the identity provider if it is not the same host name, and will fetch the public keys for all identity providers (to check the access token). Identity providers will also fetch client registration documents.
Any user can in fact make the Solid server connect to any other server. What if a malicious user makes my server connect to a website that is illegal to even visit (for instance, one hosting child pornography or terrorist propaganda)? Has anyone ever been in this situation? Are there recommendations for self-hosting a Solid server in this regard?