No, this is wrong, you need some sort of connection to send transactions - which might not even necessarily be Internet connection, since there are already methods that allow you to send BTC transactions via SMS, but you can create transactions in an isolated offline environment, which will prevent malicious code from sending your private keys to its masters. However, malicious/poorly written clients can make you lose your coins in other ways, like replacing your receiving and change addresses with attacker addresses, replacing destination addresses, using weak random number generators, reusing k parameter of ECDSA, and so on. So, you will always have to put some trust in wallets, and you should check discussions of wallets that you use from time to time to keep them up to date and receive all the recent bugfixes.