That's not what their documentation says. It says that it uses a public gateway, and prompts the user asking if they would like to use a local gateway, at which point it will download go-ipfs and run that. That's a fairly smooth UX to get a local gateway running, but I wouldn't bet money on it being used by the majority. Most people take the path of least resistance, and it's up to projects like Brave or cURL to ensure that the path is safe, which in this case it is not for Brave.
You only have to verify the content yourself if it is not being verified by someone you trust (i.e. a local gateway that you're running yourself).