With /etc/nsswitch.conf set to local followed by bind the query is likely to resolve from /etc/hosts first which cannot be relied upon to be accurate.
Theoretically correct. But have a look at your /etc/hosts: In any environment with a working DNS setup, you should find no other record than localhost 127.0.0.1 and perhaps localhost ::1. So, for any other IP address, DNS is queried. If you fear that someone manipulates /etc/hosts, you fear that someone gains root privileges on that machine. Why do you run code on a machine you can not trust?
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)