You do indeed have to trust the checksum itself.

But that can still sort of protect against some attacks. For example, a third-party intercepting your download and swapping it with another file without either side knowing.

Or it can be useful to make sure something didn’t go wrong accidentally with the download, such as a mysterious bitflip, or problems with your hard drive.