[lorenzhs]

Your argument is a classical example of "correct in theory, wildly misleading in practice". As you can see on https://trac.torproject.org/projects/tor/wiki/doc/badRelays (list isn't updated any more, so the real list is likely much longer) or http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf, there have been several cases where relays actively interfered with user traffic in a malicious way. Malicious exit nodes are used to MitM connections and sniff sensitive data.

Note that Tor doesn't mitigate the three-letter agency problem, as they can just sniff the exit node's target (I certainly would, there's bound to be lots of interesting traffic there).