Or they can verify them themselves since it's all open source. And for the less technically inclined there's also 3rd party audits and an active bug bounty. Point being, everything is open and transparent, and none of it happens behind the scenes, so that's where the "trustless" comes in.

While yes, that word is overused and misunderstood, and regular users still admittedly do put trust in open source code on a public network, it's a much more open system than we've been able to have before. The trust users depend on in this instance doesn't rely on faith in any single entity to tell you what's changed in their private DB behind the scenes, you can verify it for yourself.

Remember that the smart contract is committed to the blockchain and can never be changed.

Just like when you push your code to a git repo. It's guaranteed immutable, tamper proof. Data side is handled by appending to the blockchain as well. But this doesn't mean it's bug-free.

You have essentially a tamper proof Database with Stored Procedures that doesn't need DBAs. I imagine it as a giant growing BitTorrent file that is maintained (and rewarded) by many computers worldwide. Any tampering to this file, it's immediately detected via hashing (just like in BitTorrent).

The only way to break this is by branching out like you do in git. But in Blockchain, you will have to convince those computers to maintain your fork. And on this note, a Blockchain is technically not controlled by 1 entity, it is the choice of every individual blockchain maintainers (aka miners).