For reasons similar to those mentioned here by Dmitry Butskoy, I needed to make winbind exclude trusted domains. But like he said, "allow trusted domains = no" doesn't seem to affect winbind in this context.
So I built winbindd from source, commenting out the call to rescan_trusted_domains() as Dmitry mentioned here, and it works exactly how I want now!
Looking at the latest version of Samba, 3.5.6, it appears to still not apply that setting in this context. I think rescan_trusted_domains() ought to check lp_allow_trusted_domains() and return if it is false.
If anyone on the Samba team is reading this, I hope you will consider making that change. Hmm, maybe I should submit a patch...