Workflow/activity namespace isolation

Is it possible for a workflow to execute activities or child workflows in another namespace? If so, would the ability to create custom authorization schemes be able to prevent that from happening?

Currently, the authorization interceptor only plugs in into the frontend service. Child workflows are started without going through the frontend. We are looking at providing an option for disabling such calls.