I can nix-copy-closure (and nix-store --import) the paths which I cannot substitute from my binary caches.
I see, in your discourse it is a sort of yet unfixed bug.
But if you fix it, the idea of remote building would gone (as every builder will have to bootstrap all “untrusted” code from scratch, not trusting what user can upload).
Also, the third workaround is adding ?trusted=1 to binary cache urls (laughable security)