SimplePolicy lets Announces through from rejected domains

Consider an Announce activity like this:

{
  "type": "Announce",
  "actor": "https://poa.st/users/graf",
  "object": {
    "type": "Note",
    "actor": "https://gleasonator.com/users/alex"
  }
}

If poa.st is our homeserver, and we configure our policy like this:

config :pleroma, :mrf_simple,
  reject: ["gleasonator.com"]

...the above activity will still go through, even though the object belongs to a blacklisted domain.

This is because SimplePolicy only checks the actor of the activity, and not the object.