Lemmy doesn’t do it currently. It blindly trusts communities to not lie to people. I just found out about this myself.
In theory the JSON body could include all the necessary information to validate a signature and the signature itself. Then, a simple HEAD request could validate the contents without having to re-download everything, and users’ public keys could be cached to minimise HTTP requests necessary.