I think you might be right that a system doesn't need to be fully Sybil-resistant if you're bootstrapping your web of trust from people you actually know. The main developers of Matrix are working on decentralised reputation systems[0] which might show how this can scale, and I think the underlying protocols of both Matrix and the Fediverse are general enough that they could support granting reputations to content/hashes as well as people/groups/CAs.
Also it sounds like you're almost suggesting some sort of zero-knowledge proof system, whereby a user could calculate the average trust rating for a given entity across all their (friends of) friends, without that result disclosing the rating given by any specific friend. There are probably already algorithms for doing that, if necessary using the techniques of privacy-preserving cryptocurrencies.
Also it sounds like you're almost suggesting some sort of zero-knowledge proof system, whereby a user could calculate the average trust rating for a given entity across all their (friends of) friends, without that result disclosing the rating given by any specific friend. There are probably already algorithms for doing that, if necessary using the techniques of privacy-preserving cryptocurrencies.
[0] https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix...