Right, you can’t be 100% sure, but there are measures that they can take to make you trust them a bit more. For example, I believe Mullvad runs systems in RAM and keeps no records of who uses what. You don’t even have to give them your email address; they don’t want it. And they submit to regular audits (provided you trust the auditors).
Also, if the client matters, then don’t use their client. Use the OpenVPN client instead.