Correct. It's even more complicated than just trusting a "no logs" policy. You have to also trust that noone with hardware access (rogue VPN company employees, datacenter people, law enforcement and intelligence services) intercepts your traffic or messes with the servers, and that the servers themselves don't get hacked due to some vulnerabilities. Recall how NordVPN recently got hacked because datacenter operator left vulnerable remote management software exposed.
Tor might have its vulnerabilities as well, like all software. Not to forget that pretty much anyone can run an entry guard today and at least associate your IP with usage of Tor..
And yes, Tor provides far more anonymity than any VPN service ever could.
However, some Tor relays are malicious. And we have no way of verifying which ones are or aren't, except by trusting the Tor Project. It's true that there's lots more independent oversight, however. But that CMU exploit of the "relay early" bug is a red flag. Because the Tor Project didn't detect the malicious relays for at least weeks.
Anyway, I use nested VPN chains to access the Tor network. So if I get pwned through a malicious entry guard, at least they'll only learn the final VPN exit address.
