I don’t think that Tor relies entirely on trust. it rather relies on the probability that there needs to be at least half of entry and exit nodes compromised for a attacker to be able to deanonymize users trying to access the clearnet. the hidden network is even harder to deanonymize as there are more than 6 hops in the path. and all nodes participating in the network are visible.
proton on the other hand can do what ever they please on their servers and can never get caught with it.