With smart contracts, I know transactions are verified by multiple nodes, but reading only requires one node. What if that one node is malicious and gives out corrupted data? Is this possible?
Yes, it is technically possible for a node to be malicious and to return modified results (to either all queries or just selected ones).
Apart from non-technical ways to minimize the risk of retrieving data from a malicious node (e.g. request data only from reputable providers, ...), you can set up your own node that you have control over. Here are two widely used open-source Ethereum clients that you can run on your machine:
Both are capable of communicating with external apps using the standardized JSON RPC API (there are wrappers over this API, for example web3 and ethers.js libraries).