How are query calls verified

I received an interesting question on twitter. Not quite sure the answer

One thing has been bothering me for a while: since data transfer (pulling data from a subnet node) occurs outside of a subnet’s consensus, how this charge be trustless? If not trustless, any subnet node would be able to steal Cycles from any user/canister, right?

Hopefully someone can chime in.

Query calls are not verified, so a single node can make up arbitrary responses. If this is bad for your application (i.e. you want the user to be able rely on their account balance or chat inbox), then use update calls, or use certified variables.

But query calls cannot modify state, so they cannot be used to “steal” cycles, only waste them - like update calls.