Risk and trust can never be zero, but it is all about reducing your risk to a minimum. If I want to spend from my paper wallet, then I will be importing my seed to my permanently airgapped computer, using it to sign a transaction, and then moving my signed transaction to an internet connected computer to broadcast it. Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.

I don't disagree with you here, and as I said above I wouldn't recommend this technique to new users by any means. But if someone knows what they are doing, and double checks everything, then it's a more secure method to generate entropy than relying on third party code which you almost certainly haven't audited.