In terms of security, what would the point here not to trust the ADDITIONAL section when they match the AUTHORITY section?
There is no security at all regarding the ADDITIONAL section. In case of DNSSEC, the records in the AUTHORITY and ANSWER sections are signed, but those in ADDITIONAL are not. Hence the client CAN NOT trust the content of ADDITIONAL is really coming from the authoritative nameserver, it could have been modified in transit.
So even if you think the record given "matches" the AUTHORITY section, it could completely have been hijacked by an on-path attacker.
Most if not all DNS clients avoid using any data in ADDITIONAL except when there is absolutely no other way, that is when glues are needed. Technically glues are only needed when the nameservers are in-bailiwick that is at or below the domain name. Not just below the same TLD, that is just internal, as we see here, but really as in-bailiwick of the domain name queried.
Here, ns-912.awsdns-50.net. is not in-bailiwick of allcosts.net. and hence its presence in ADDITIONAL is both optional and better to ignore.
But let us go back in resolving your name by doing all the steps, and seeing if we need this record in the ADDITIONAL section and how it helps.
Step 1
allcosts.net is served by:
ns-22.awsdns-02.com.ns-912.awsdns-50.net.ns-1834.awsdns-37.co.uk.ns-1233.awsdns-26.org.
To get any data one of these 4 nameservers has to be contacted hence its name must be resolved. Note of course that the client needs only one of them and does not need to check all 4 of them. But let us try to resolve all those 4 names.
Step 2a: ns-22.awsdns-02.com.
Domain awsdns-02.com. is served by:
g-ns-3.awsdns-02.com.g-ns-578.awsdns-02.com.g-ns-1154.awsdns-02.com.g-ns-1730.awsdns-02.com.
Note how these 4 names are in-bailiwick to this domain, so the parent nameservers return glues (A and AAAA records) for all 4 of them, hence the name ns-22.awsdns-02.com. can be completely resolved, and the initial request can stop there if this was the nameserver picked. The record in the first ADDITIONAL section is useless here.
Step 2b: ns-912.awsdns-50.net.
Domain awsdns-50.net. is served by:
g-ns-1970.awsdns-50.net.g-ns-499.awsdns-50.net.g-ns-820.awsdns-50.net.g-ns-1394.awsdns-50.net.
Again, all bailiwick, so same conclusions as previous step.
Note how ns-912.awsdns-50.net. does not appear anywhere here, so again its IP address in the first ADDITIONAL sections is not needed.
Step 2c ns-1834.awsdns-37.co.uk.
To cut things short, again awsdns-37.co.uk. is served by 4 in-bailiwick domain names, same conclusion.
Step 2d ns-1233.awsdns-26.org.
Same.
Conclusion
No matter what is done to resolve any name under allcosts.net., the IP address of ns-912.awsdns-50.net. given in ADDITIONAL section WILL NOT be used because it is not needed. The authoritative nameservers for awsdns-50.net. will be queried to get the name for ns-912.awsdns-50.net. as the content from the parent will not be trusted.
Postscript
But if useless, why does this record even exist?
Because ns-912.awsdns-50.net. was registered at relevant registry as an host object, by registrar of awsdns-50.net.. You can see it in whois:
$ whois -h whois.verisign-grs.com 'nameserver ns-912.awsdns-50.net.'
Server Name: NS-912.AWSDNS-50.NET
IP Address: 205.251.195.144
Registrar: MarkMonitor Inc.
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
>>> Last update of whois database: 2022-01-09T07:02:41Z <<<
This host object is in fact useless (because this hostname is NOT authoritative on awsdns-50.net.) but maybe it was used in the past OR other domain names under com or net (as same registry) use this host object, hence it can't be deleted.
Also note here that there is no operational consequence because the IP addresses match:
$ dig NS-912.AWSDNS-50.NET @g-ns-1394.AWSDNS-50.NET. +short
205.251.195.144
Glues become a problem when the IP change on one side (ex: child) without being synchronized on the other (parent). But, again, even that here wouldn't impact anything as the ADDITIONAL record is not needed to resolve anything under allcosts.net..
