correct
and one may do so by verifying its underlying code, as it is all open-source
if you are unable to verify by yourself then yes, you'd have to trust someone. but that someone can be one who you already trust, eliminating the need to rely on people you don't trust (which is the current state of affairs)