Sorry, let me clarify. We should trust Signal as little as possible. That's how the design should work. Zero trust is very hard to create but let's minimize it.

Opening up usernames (in the conventional sense) you will end up needing to verify and act as an arbiter. This is due to the fact that certain usernames have real world meaning behind them and you don't want to create an ecosystem where it is really easy to honeypot whistleblowing platforms (how do you ensure that CNN gets {CNN, CNN-News, CNNNews, etc}?). They've suggested that this might be the case given that the "Notes to self" and "Signal" users are verified with a blue checkmark. The issue is that verifying users not only makes Signal a more trusted platform but the act of verification requires obtaining more information about the user. It also creates special users. All things I'm very against. I'd rather hand out my phone number than have Signal collecting this type of information. So yeah, it isn't completely trustless, but I certainly don't want to move in the direction of requiring more trust.

You aren't supposed to trust Signal on that; you are supposed to verify it out-of-band using Safety Numbers.

Signal does not tell me which number is which user. I know which number is who myself. The most Signal does is presumably warn me when the key associated with the number changed (eg. new phone).

And that's where I have to trust Signal, but as a protocol not a "trusted source" of information.