Right, if you are willing to validate any and all random documents, you will have to have some sort of way to get the schemas. I can think of very few reasons to validate unknown schemas in an application, though. Would be like allowing your parser to take in external entities. Can be useful and there are valid reasons for trusted sources. But not for random documents from the web.
So, agreed it is a bit of a footgun.