That's exactly right.
Some versions ago, if you had an email address in the INI file, you would also have to allow that email address in $TARGET_EMAIL.
However, that was extra redundant work. Since the INI file is on the server, it's just as secure from the web as FormMail itself.
Therefore, recent versions of FormMail automatically accept email addresses in the INI file as being safe to send to.