[andrewla]

> It turns out that "trustless" is more subtle and not quite as discrete as we might've thought.

That's exactly it -- even in the centralized variants, the "trusted" authority doesn't have a lot of power. The main power they have is censoring transactions, both in the present (not accepting a new transaction) and in the past (rewriting the chain to omit a transaction and all of its dependents).

The ability to rewrite history is a dangerous one, but is mitigated by the fact that they can't do so undetected by the network. This is a social/economic effect rather than a cryptographic one, which has its own dangers, but means that the trusted authority risks losing (or forking) its status to a competing trusted authority for the same coin if the consensus of the network is that they cannot be trusted.

The forward security guarantees are just that the transactions are signed, and those signatures cannot be forged, even by the trusted authority, so there is no way for another actor (including the trusted authority) without access to your private keys to spend your coins.