OK, say you want to make a transaction. You fill out four things in the PC client: the wallet to transfer from, the amount of BTC, the destination address and the password for the wallet.
You press OK, and the transaction is sent to the device via USB for signing.
The Send-To address is changed by malware to another address before being sent to hardware wallet for signing. Hardware signs the transaction.
You cannot get any security on compromised computer! It is only a question how sophisticated is the malware.
marketed as a bitcoin-related device. Catch-22.