The spec states at the moment:
Once a Client retrieves the Endpoints, the Client can save this information and use it to connect directly to the Server again without going through the discovery process. If the Client finds that it cannot connect then the Server configuration may have changed and the Client needs to go through the discovery process again.
DiscoveryEndpoints shall not require any message security, but it may require transport layer security. In production systems, Administrators may disable discovery for security reasons and Clients shall rely on cached EndpointDescriptions. To provide support for systems with disabled Discovery Services Clients shall allow Administrators to manually update the EndpointDescriptions used to connect to a Server. Servers shall allow Administrators to disable the DiscoveryEndpoint.

This makes no sense since since in the automatic certificate update szenario with GDS, the client MUST call GetEndpoints to get the new certificate from the server. There is a special status code that indicates that the client is using the wrong certificate and GetEndpoints is the only way to get the new certificate. This new certificate will be used by the client if it is trusted (which will be the case for a GDS managed trust list). We clarified this in erratas to 1.04 a while ago.

If Clients are configured to use a certain endpoint setting, they should not change the used parameters by calling GetEndpoints but a updated certificate must be fetched with GetEndpoints.

If a Client has a "use best security" option, the client MUST verify the GetEndpoints results with the endpoints returned from CreateSession. It is much more important that clients do this check ALWAYS when the automatically select the endpoint.