Is the trusted user inducing the problem a site administrator?
No it's teacher without any extended priviligies. I reapeated this issue on some clean installation of Moodle.
When I go to Course administration -> Users -> Permissions -> Check permissions, and even if moodle/site:trustcontent is set to No for specific user, I'm still able to put some basic javascript like:
<script type="text/javascript">
window.alert("Loerm ipsum.");
</script>
when I'm logged in as that user (Site administration -> Security -> Site policies -> Enable trusted content is set to No by default).
Yes, apparently the standard modules' description (intro) section is hardcoded to no XSS prevention and users must be trusted. This may be worthy of a tracker issue. Afaict right now the only way to resolve your issue is to either hack the code or require that user to increase the security level in the browser.