Not sure about NSO specifically, but this actually is how it works. If they screw someone over others won't sell their 0days. Except they don't pay the $2MM up front, they pay out based on a pre-agreed upon lifespan of the exploit.
First you provide a description of the exploit, then you get an estimate, then you have provide the exploit for vetting and the payout has multiple cliffs similar to equity vesting in a company.
This way you can't sell them a an exploit for $2MM and go play robinhood by reporting it to the vendor once the check clears.
And I would argue most trade is not based on trust, except for maybe trust in the legal system and repercussions if someone tries to screw you over.