Wallets tend to have two main features: A) generate random private keys and B) given some private key, sign a transaction and broadcast this message to the network.
Pen, paper, and some dice (and a bit of work) can generate a private key for step A, which you can input into a hardware wallet, and which would have prevented the problem in the OP.
It’s also possible to write your own wallet software or use a “trusted” tool (eg: openssl or node) to create a private key, rather than rely on a random app or device off eBay to generate it for you.
The B) part is harder to do with pen and paper or an off-the-shelf tool as it involves a fair bit of protocol specific math—but it’s also harder to target in a hardware wallet supply chain attack.
So clearly pen and paper doesn't work, since it isn't possible to sign a transaction and broadcast the message to the network using only a pen and a paper.
Writing a software wallet would involve using third-party compilers, operating systems and hardware, which means it isn't "trustless".
It doesn’t mean “you can perform some action without trusting anybody or anything at all.” Protocols, software, hardware, and even your environment will all require various degrees of trust.
From the interactions that I've had with many supporters of cryptocurrencies on Twitter and Reddit, I don't think that this a common understanding of the word "trustless" (which literally means "without trust", by the way) within this community.
Even if we take "trustless" to mean "not trusting a single, centralised party" it's not clear at all that blockchains are trustless or even that they're more trustless than other payments systems such as Visa. That's a question that can't be answered from abstract principles. It would need to be answered empirically.
Of course it will depend who you ask; but most Ethereum developers at least would probably agree that the word “trustless” shouldn’t be interpreted literally as “without trust” to the extent your comments suggest, just as “serverless” systems might still involve servers. Call it a misnomer; there’s plenty in the English language.
Pen, paper, and some dice (and a bit of work) can generate a private key for step A, which you can input into a hardware wallet, and which would have prevented the problem in the OP.
It’s also possible to write your own wallet software or use a “trusted” tool (eg: openssl or node) to create a private key, rather than rely on a random app or device off eBay to generate it for you.
The B) part is harder to do with pen and paper or an off-the-shelf tool as it involves a fair bit of protocol specific math—but it’s also harder to target in a hardware wallet supply chain attack.