Does anyone know of a way to say "trust all neighbors on network 192.168.100.0/24"?

 May I know what we meant by trust?  Are you expecting a traffic inspection (L4/L7) ? or any routes from the respective neighbor must be injected directly into the routing table without any filtering? 

Based on my knowledge. by nature of BGP routing protocol peering is manual. unless you configure BGP peering on both ends, BGP peering will not come up automatically like OSPF or EIGRP. you can script it or preconfigure it if required.

The feature BGP neighbor range / BGP neighbor subnet is not available on NSX-T Tier-0:

If it was, it'd only allow you to specify one ASN as well (and not an ASN range). Given that you probably should also be doing prefix filtering, this is a good job for the API. The payload only requires a few lines of JSON and is pretty doable, even if it needs to be chained after vCD.

This approach would let you keep your existing design pattern with minimal changes, and get allow your tenant Tier-0s/VRFs to have unique ASNs if you want.

Prefix Filtering:

https://vdc-download.vmware.com/vmwb-repository/dcr-public/ce4128ae-8334-4f91-871b-ecce254cf69e/488f... 

https://vdc-download.vmware.com/vmwb-repository/dcr-public/ce4128ae-8334-4f91-871b-ecce254cf69e/488f... 

Add BGP Neighbor via the API:
https://vdc-download.vmware.com/vmwb-repository/dcr-public/ce4128ae-8334-4f91-871b-ecce254cf69e/488f...