GPG WoT is checked by querying pgp.cs.uu.nl, could use wotsap if it's locally installed. However, the version of wotsap in debian only supports short, insecure keyids, so is less secure than using the server. And, locally running wotsap needs to download the WoT database from a server anyway, so does not seem to add any security.

Once we have a WoT path, we could download each gpg key in the path and verify the path. This would avoid trusting pgp.cs.uu.nl not to be evil. Not done yet, partly because downloading a lot of gpg keys is expensive. But also because even if this check were done, bad data in the WoT could be backed up by real keys on the keyservers.

The decentralized way is for the user do some key signing, get into the WoT, and then gpg can tell them if the key is trusted itself. This already works of course.