1) the admin user can do anything anywhere
2) the creator of a record can specify permissions on his own records
3) other users can edit a record only if they are given explicit permission by that record's creator
According to those rules, if a certain record doesn't have any permissions specified for it, then only the creator and the admin user can access it. If you would like to "trust" all users with non restricted records, then you set trust mode to true.