> (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

I recall HIBP documents their hashing protocol so that it should be possible to have a non-web client you can trust more.

https://haveibeenpwned.com/API/v3#PwnedPasswords