Kevin,
Only access ports may be configured as untrusted and so a trunk or port-channel cannot be configured for untrusted. I'm a little unclear on your test topology.
This would have worked:
Unmangaged_SW -------- (Access Port) SX500
These would not work:
Unmangaged_SW -------- (Trunk Port) SX500
This is the error you should have seen.
(host) (gigabitethernet "1/0/0") #no trusted port
Error: Trunk ports cannot be untrusted
Unmangaged_SW -------- (Port Channel) SX500
The "no trusted port" command is not accepted at all on a port-channel interface.
Reagrding "I believe routing through the MAS forced the CP profile despite the not-untrusted trunk port.", how exactly did you have this configured then? The only way I can picture it is like this but you still shouldn't have hit the CP page.
!
interface vlan X
ip addres X.X.X.X Y.Y.Y.Y
!
vlan x
aaa-profile "TEST"
!
interface gigabitethernet "X/Y/Z"
switching-profile "TRUNK"
!
Best regards,
Madani