If they will not send data to their servers anymore, then they can easily regain trust by just introducing a contractual obligation to pay out a reasonable sum if they are found to be doing so that would disincentive them from doing so. Say 1 year of revenue or ~$100B? Since they have control over their own actions and there is no reason to send data to their servers anymore, then that would be pure upside with no risk if they are being truthful. However, until they make promises where success and failure can be evaluated by non-technical individuals and there is actual downside when failing to fulfill those promises, I see no reason for anyone to believe their claims if they will not put their money where their mouth is.
Not really. GDPR establishes specific rules around data protection and retention, but what I am proposing is having them establish a contractual obligation to abide by their claims with pre-defined damages in the event of a breach of contract to demonstrate a commitment to their claims. GDPR is about data protection, this model is about honesty/fulfilling obligations which just so happens to be about data protection in this case. If they want to gobble up all the data and they are completely honest and forward about it such that the average impacted individual properly understands the scope and degree of what is occurring, then I do not care too much about it since at least everybody is going in with open-ish eyes. It is doing so while lying about it or appealing to people's wishful thinking then blaming them for not reading the fine print that is truly evil.
