It's trustless right? I guess the swap provider partially signs a transaction that requires the same pre-image that the Lightning payment depends on?

Although, I'm not sure about confirmations - we need to ensure the Lightning payment is held back until there have been a few confirmations?