“Social Onboarding” clients will fix the “first trusted app” problem. Simply by “inviting” their friends (from a client equipped in this way) to create profiles and “follow them”, Nostr advocates are implicitly “trusting” this client to faithfully present their (client and user and content) recommendations to the new users. 

In this way, any client that supports “Social Onboarding” (a web client with “invites” accessible via a shared link that creates a profile which “follows” and presents recommendations from the inviter) in a single “unbroken and trusted flow”, can act in this way as “first trusted client”.  

 That's ok, especially given the fact that onboarding a new user poses no risk for the newly created key - there's nothing valuable tied to it yet. My concern is when this flow is used to login to apps with existing valuable keys - you don't want to trust the app itself to show it's own verifiers.