pull down to refresh

The statements may all be true to varying degrees. As an "outsider" and fairly recent federation member, these questions were one of the key points we had to overcome before deciding to take a bet on Liquid and start building on top of the chain.
After having been involved for some time and experienced the inner working of the federation, I can say for sure that the keys are distributed globally with hardware modules. Who controls each key is not currently known by us, but we can imagine that the requirements and responsibilities placed on an operator is significant and rules out a lot of organisations. It may very well be that several keys are indeed operated by one party until the network has grown to a size where the keys can actually be distributed.
In terms of being permissionless, you don't need anyone to peg-in or issue an asset, however, the network rules currently require that peg-out keys are held with federation members (I believe this was a result of engineers seeing edge-cases around permitting users to be able to do so directly - this may change going forward if the federation drives this question).
In the end, we feel the federation is doing its utmost to ensure the integrity of the chain and the management and distribution of keys (even to the point of decreasing usability like 102 confirmation peg-ins and peg-outs only via federation member keys). They have our full confidence.
(FYI. This question isn't new. If you look at the bitcointalk forum, "fellowtraveller" tried to create a protocol called "open transactions" where users could peg-in/out assets and trade them p2p. He was ahead of his time. Eventually the implementation failed due to the voting pools which he foresaw never being resolved.)