This is by specification, per the DOM Living Standard:
NOTE: isTrusted is a convenience that indicates whether an event is dispatched by the user agent (as opposed to using dispatchEvent()). The sole legacy exception is click(), which causes the user agent to dispatch an event whose isTrusted attribute is initialized to false.
Also, in the DOM Level 3 Events Specification:
Events that are generated by the user agent, either as a result of user interaction, or as a direct result of changes to the DOM, are trusted by the user agent with privileges that are not afforded to events generated by script through the createEvent() method, modified using the initEvent() method, or dispatched via the dispatchEvent() method. The isTrusted attribute of trusted events has a value of true, while untrusted events have a isTrusted attribute value of false.
Thus, isTrusted only reflects if the event has been dispatched or created artificially using createEvent, initEvent, or dispatchEvent. Now, look at the definition of Window.scroll per the CSSOM View Module Editor's Draft:
When the scroll() method is invoked these steps must be run:
[...]
- If invoked with two arguments, follow these substeps:
?????[...]
?????12. Perform a scroll of the viewport to position, document’s root element as the associated element, if there is one, or null otherwise, and the scroll behavior being the value of the behavior dictionary member of options.
Nowhere in the method is an artificial event created with createEvent, initEvent, or dispatchEvent, thus the value of isTrusted is true. Note that using Window.scroll still triggers the event handler because it integrates with the event loop, and a scroll event is emitted when a viewport or element is scrolled. This does not, however, use createEvent, initEvent, or dispatchEvent.
Using the isTrusted event isn't a sure-fire way of detecting whether a script generated an event. It only detects if an event has been created and dispatched with createEvent, initEvent, or dispatchEvent.
