Yes, in our case we had a CronJob that was responsible for syncing secrets from default namespace to other namespaces (we needed to that to slowly implement some sort transition mechanism from a non-Istio namespace to Istio one), unfortunately, the sync logic did not exclude non-application secrets, such as SA tokens and Istio certificates. So it was not really an issue with Istio.
I highly recommend you use istioctl authn tls-check to check for any conflicting mesh policies / destination rules.