Proof of Work is the source of truth [0]. That is why Proof of Stake cannot work. You are describing one of the biggest of the problems with PoS perfectly.
The source of truth is the website you trust to vend you unadulterated node software; the source of truth is not Proof of Work itself. Once you define the trust problem to include the initial software download, the trust assumptions are not so different at all, as explained by Vitalik:
> Essentially, the first time a node comes online, and any subsequent time a node comes online after being offline for a very long duration (ie. multiple months), that node must find some third-party source to determine the correct head of the chain. This could be their friend, it could be exchanges and block explorer sites, the client developers themselves, or many other actors. PoW does not have this requirement.
> However, arguably this is a very weak requirement; in fact, users need to trust client developers and/or "the community" to about this extent already. At the very least, users need to trust someone (usually client developers) to tell them what the protocol is and what any updates to the protocol have been. This is unavoidable in any software application. Hence, the marginal additional trust requirement that PoS imposes is still quite low.
[0] https://dergigi.com/2021/01/14/bitcoin-is-time/