Currently, an auth email user that tries to impersonate another user by setting the "from" to that second user is failing because this is not permitted.
On the other hand, an email comming from an outside source can send an email with a "from" that is impersonating a local user.
That second case is fine in the following situations:
you are generating emails for your domain from another source (e.g AWS SES, Mailchimp, ...)
your Wordpress installation is sending emails for your domain, but sending it on local host on a different provider (the workaround would be to configure it to send the emails via the main email service)
but bad in these situations:
outside spam can look like a legitimate email from another local user