diff --git a/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml b/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
new file mode 100644
index 0000000000..ed3176a96c
--- /dev/null
+++ b/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    The add_host host-vars blacklist is no longer effective for trusted
+    playbook.
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index fa004b408c..4282fd3174 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -2450,7 +2450,8 @@ class AnsibleJob(object):
         if self.executor_variables_file is not None:
             cmd.extend(['-e@%s' % self.executor_variables_file])
 
-        cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])
+        if not playbook.trusted:
+            cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])
 
         self.emitPlaybookBanner(playbook, 'START', phase)