A question about trusting smart contracts

How do you know if a smart contract can be trusted or not?

My understanding was that you can read the source code of any smart contract and verify for yourself. But I've learned that you can only get the byte code. There are online decompilers, but they do not recreate the source code perfectly.

Then there are companies that do smart contract analyses and then mark them as trusted. But that sounds like moving back to centralisation, because now you depend on the companies.

On etherscan, some contracts have their abi and source code in there, but how do you know that the sourcode is real?

Is there a different solution to this? Or am I misunderstanding something? I've only began learning about smart contracts recently.