I'm confused as to why the PIN code is entered into the wallet application, rather than the device itself - surely that increases the risk of a successful physical theft. Assuming the PIN code is not changed on a regular basis, using the device on an infected workstation would essentially render the PIN code useless if attacked through a combination of both digital and physical means. On the other hand, if the code was to be entered on the Trezor itself, such a scenario is not possible unless the PIN code is provided by the owner under duress.