A domain host is the code that creates a domain and controls it. Typically, the same host that creates the domain is the only code to control it subsequently – loading code into it, for instance – although there is no strictly enforce restriction that only the same host may later do other operations. Any code with the necessary permissions (detailed below) and access to the object may perform any operations.
Domain hosts may or may not be trusted to provide evidence about code loaded in the assembly (requires SecurityPermission.ControlEvidence permission).
Security for domains created by hosts without SecurityPermission.ControlEvidence permission is determined by the security enforced on the host; any evidence passed to CreateDomain() is ignored. Thus, if a host does not have ControlEvidence permission then any domain it creates will have the same evidence as its host. (The ability to provide evidence potentially enables an escalation of permission; hence, this is a protected operation.)