The PI AF Server never connects to the PI Data Archive. It just provides the PI Server name and the PI Point name stored on the connection string of the AF attribute to the client which is responsible for making the connection to the PI Data Archive.
The AF client application (like PI System Explorer) is able to connect to the PI Data Archive through explicit login (PI User), PI Trusts or WIS (Windows Integrated Security). The first option is not secure at all. As you are able to connect with PI Trusts specifying an IP address, your client application does not have to be on a domain or a trusted domain. Nevertheless, WIS is more secure than PI Trusts that is why it is preferable to choose this option. This is concerning the security of PI Data Archive.
Concerning the security of the PI AF Server, it is recommended for the AF client application to be on the same domain or trusted domain of the PI AF Server. Nevertheless, if this is not possible, you can create on the client and on the server a local user with same name and password on both machines. You will need to run your AF client application under this user account in order to be able to connect to the PI AF Server. Again, authenticating with domain accounts is more secure than local accounts.
I invite you to read the user manual called PI AF Installation and Upgrade Guide for more information.
Hope this helps!
Thank you Marcos!