When the persistent store contains an authenticated user, and the store is configured as trusted, receiving a different user authentication from the trusted adapter is not possible, since the adapter is not even asked.
I propose to implement an intermediary solution, where the persistent store is partially trusted. In this mode, the adapter is asked for the userId at every request, and if it return a not null value, this value is compared to the store. If the value match, the user is authenticated, if not, a new authentication occurs as usual.
So this is basically like the NOT trusted persistent store, except that if the adapter return null, the previously authenticated user is kept.