It’s technically easy to spoof traffic with Plausible and other analytics tools. Sending stats to any data-domain regardless of what hostname the script is running on is in fact desirable as it allows you to:
Our data-domain attribute provides this flexibility much like the GA tracking code.
It’s not an issue that’s exploited much in the real world but it would still be nice to have an option to validate domain/origin of the stats to filter out undesirable stats in case it does happen.
this is now possible. see https://plausible.io/docs/subdomain-hostname-filter#allow-traffic-from-specific-hostnames-only