The current config parameter restrictCertificatesToNamespace behavior is to reject an annotation that match another namespace, but accept any annotation that doesn't match clusterDomain.
Eg : if my cluster domain is cluster.local, and the namespace is default, it will prevent me to get a cert for other-namespace.svc.cluster.local, but will accept things like default.svc.cluster.tld or www.google.com.

What would you like to be added

I would like restrictCertificatesToNamespace to restrict all requests to current namespace, and any that doesn't match should be rejected.

Why this is needed

restrictCertificatesToNamespace appears to be a security feature to prevent service in a namespace to impersonate other namespaces services. It should also prevent impersonation of external services.