How to add binary caches to flake.nix for non-root builds as a non-root user?

I’ve added the following to the flake.nix of a package I’m trying to build:

  nixConfig = {
    extra-substituters = [ "https://horizon.cachix.org" ];
    extra-trusted-substituters = [ "https://horizon.cachix.org" ];
  };

But when I run nix develop I get the following warning:

warning: ignoring untrusted substituter 'https://horizon.cachix.org', you are not a trusted user.
warning: ignoring the client-specified setting 'trusted-substituters', because it is a restricted setting and you are not a trusted user

It seems the only way to add myself as a trusted user is to edit my system wide configuration.nix.

Why do I need to do a system wide change that requires root for a non-root user account to use a binary cache? Yes, the binary cache could be dangerous, but so could anything they’re building, and I could easily download and run any executable from the internet without being a “trusted user”, so why do I need to be a “trusted user” to use a binary cache? I’m not asking NixOS to use this binary cache for when it’s doing system updates as root, I just want to use this binary cache for building the package represented in the flake as a non-root user.

Or am I missing something here and there is a way to add an extra binary cache as a non-root user without requiring root to change the system configuration?

Cache poisoning. An untrusted substituter could create malicious derivations for specific store paths, and your Nix would grab those instead of the official binary cache.

Not use, but to trust a binary cache. Any user can make use of whatever substituter is configured by the system, but only a trusted user can add or remove substituters.

Nix can’t stop you from doing whatever you do on the rest of your system, but it can certainly restrict you from doing dangerous things within its own scope of operation.

That’s also why I recommend never adding regular users to trusted-users - it’s passwordless root at that point.