Lightning Network relies on a network of payment channels.

When two users open a payment channel together, they create a new 2-of-2 multisig address. As they are funding it, they also create an exit transaction for each user. The exit transactions can be activated unilaterally.

To update the balances in the channel consent of both parties is required. Therefore, no other party can move your balance. The only counterparty risk with two honest users is that your channel partner could be unavailable to update the channel. If you decided to close the channel then, your funds would be locked for the agreed-upon waiting period of your exit transaction.

If your partner decides to close the channel unilaterally, or when you collaborate to do so, your funds become immediately available for spending.

In the case that your counterparty tries to dishonestly execute an outdated exit transaction, you fallback to an anti-cheat transaction that builds on your counterparty's exit transaction. You could monitor the network yourself to safeguard against this case, but the anti-cheat transactions can be safely distributed in the network and have an attached bounty to make it interesting for third parties to monitor on your behalf. When a third party broadcasts the anti-cheat they'd assign the bounty to themselves, but would be unable to touch the remaining funds.

The counterparty risks at most include loss of utility when a channel is closed prematurely on you, an agreed-upon waiting period when you close a channel, or the cost of a bounty at the gain of the dishonest party's funds in a cheating attempt. At no point does another party have custodial control of your funds.