Can you picture a domain login in one domain "mapping over" into a trusted domain and working for sql access even though the sql access is for the other domain where that user's network login is disabled.
e.g. Domain1\JoeBloe is enabled in Domain 1 but has no explicit sql access and none via groups I can find. Domain2\JoeBloe is disabled in Domain2 but has sql access. Domain1\JoeBloe can connect to sql
Sql server is actually in Domain3