pgp: How can I trust a GPG key when I download it based on the fingerprint contained in the file I want to verify?

The instructions at https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3 suggest that you can download an ISO to install an operating system, along with the checksums and a signature. Next, try to verify the signature with

gpg --keyid-format long - check SHA256SUMS.gpg SHA256SUMS

which, if you still do not have the required keys, will give an error like:

gpg: Signature made Thu Apr 5 22:19:36 2018 EDT
using the key DSA ID 46181433FBB75451
gpg: Unable to verify signature: no public key
gpg: Signature made Thu Apr 5 22:19:36 2018 EDT
using the key RSA ID D94AA3F0EFE21092
gpg: Unable to verify signature: no public key

Then he suggests that "This is a really useful message …" since it tells us what keys to download. Then proceed to tell the user how to download keys from a key server.

What I do not understand is this: if somehow I downloaded a compromised file, why would I trust the key IDs that are given to me when I try to verify the file? If the file is compromised, it could be signed with a different key. My understanding of key servers is that anyone can load keys, and they stay synchronized with each other, and in doing so gpg --keyid-format long --keyserver hkp: //keyserver.ubuntu.com --recv-keys ... I would simply download the wrong key, tell me that the file was checked and I was attracted to a false sense of security. What have I missed?