No, it still means that you've connected to the ___domain that you wanted to connect to and the connection is reasonably resistant to MITM attacks. It doesn't say anything about who controls the ___domain, but what it provides still isn't nothing.
"It is not a good indicator of trustworthiness of the actual thing you download."
I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that ___domain.
That is my point. In the context of this discussion about downloading dependencies.
